1 /* 2 * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package java.security.cert; 27 28 import java.security.NoSuchAlgorithmException; 29 import java.security.NoSuchProviderException; 30 import java.security.InvalidKeyException; 31 import java.security.SignatureException; 32 import java.security.Principal; 33 import java.security.Provider; 34 import java.security.PublicKey; 35 import javax.security.auth.x500.X500Principal; 36 37 import java.math.BigInteger; 38 import java.util.Date; 39 import java.util.Set; 40 import java.util.Arrays; 41 42 import sun.security.x509.X509CRLImpl; 43 44 /** 45 * <p> 46 * Abstract class for an X.509 Certificate Revocation List (CRL). 47 * A CRL is a time-stamped list identifying revoked certificates. 48 * It is signed by a Certificate Authority (CA) and made freely 49 * available in a public repository. 50 * 51 * <p>Each revoked certificate is 52 * identified in a CRL by its certificate serial number. When a 53 * certificate-using system uses a certificate (e.g., for verifying a 54 * remote user's digital signature), that system not only checks the 55 * certificate signature and validity but also acquires a suitably- 56 * recent CRL and checks that the certificate serial number is not on 57 * that CRL. The meaning of "suitably-recent" may vary with local 58 * policy, but it usually means the most recently-issued CRL. A CA 59 * issues a new CRL on a regular periodic basis (e.g., hourly, daily, or 60 * weekly). Entries are added to CRLs as revocations occur, and an 61 * entry may be removed when the certificate expiration date is reached. 62 * <p> 63 * The X.509 v2 CRL format is described below in ASN.1: 64 * <pre> 65 * CertificateList ::= SEQUENCE { 66 * tbsCertList TBSCertList, 67 * signatureAlgorithm AlgorithmIdentifier, 68 * signature BIT STRING } 69 * </pre> 70 * <p> 71 * More information can be found in 72 * <a href="http://www.ietf.org/rfc/rfc3280.txt">RFC 3280: Internet X.509 73 * Public Key Infrastructure Certificate and CRL Profile</a>. 74 * <p> 75 * The ASN.1 definition of {@code tbsCertList} is: 76 * <pre> 77 * TBSCertList ::= SEQUENCE { 78 * version Version OPTIONAL, 79 * -- if present, must be v2 80 * signature AlgorithmIdentifier, 81 * issuer Name, 82 * thisUpdate ChoiceOfTime, 83 * nextUpdate ChoiceOfTime OPTIONAL, 84 * revokedCertificates SEQUENCE OF SEQUENCE { 85 * userCertificate CertificateSerialNumber, 86 * revocationDate ChoiceOfTime, 87 * crlEntryExtensions Extensions OPTIONAL 88 * -- if present, must be v2 89 * } OPTIONAL, 90 * crlExtensions [0] EXPLICIT Extensions OPTIONAL 91 * -- if present, must be v2 92 * } 93 * </pre> 94 * <p> 95 * CRLs are instantiated using a certificate factory. The following is an 96 * example of how to instantiate an X.509 CRL: 97 * <pre>{@code 98 * try (InputStream inStream = new FileInputStream("fileName-of-crl")) { 99 * CertificateFactory cf = CertificateFactory.getInstance("X.509"); 100 * X509CRL crl = (X509CRL)cf.generateCRL(inStream); 101 * } 102 * }</pre> 103 * 104 * @author Hemma Prafullchandra 105 * 106 * 107 * @see CRL 108 * @see CertificateFactory 109 * @see X509Extension 110 */ 111 112 public abstract class X509CRL extends CRL implements X509Extension { 113 114 private transient X500Principal issuerPrincipal; 115 116 /** 117 * Constructor for X.509 CRLs. 118 */ X509CRL()119 protected X509CRL() { 120 super("X.509"); 121 } 122 123 /** 124 * Compares this CRL for equality with the given 125 * object. If the {@code other} object is an 126 * {@code instanceof} {@code X509CRL}, then 127 * its encoded form is retrieved and compared with the 128 * encoded form of this CRL. 129 * 130 * @param other the object to test for equality with this CRL. 131 * 132 * @return true iff the encoded forms of the two CRLs 133 * match, false otherwise. 134 */ equals(Object other)135 public boolean equals(Object other) { 136 if (this == other) { 137 return true; 138 } 139 if (!(other instanceof X509CRL)) { 140 return false; 141 } 142 try { 143 byte[] thisCRL = X509CRLImpl.getEncodedInternal(this); 144 byte[] otherCRL = X509CRLImpl.getEncodedInternal((X509CRL)other); 145 146 return Arrays.equals(thisCRL, otherCRL); 147 } catch (CRLException e) { 148 return false; 149 } 150 } 151 152 /** 153 * Returns a hashcode value for this CRL from its 154 * encoded form. 155 * 156 * @return the hashcode value. 157 */ hashCode()158 public int hashCode() { 159 int retval = 0; 160 try { 161 byte[] crlData = X509CRLImpl.getEncodedInternal(this); 162 for (int i = 1; i < crlData.length; i++) { 163 retval += crlData[i] * i; 164 } 165 return retval; 166 } catch (CRLException e) { 167 return retval; 168 } 169 } 170 171 /** 172 * Returns the ASN.1 DER-encoded form of this CRL. 173 * 174 * @return the encoded form of this certificate 175 * @exception CRLException if an encoding error occurs. 176 */ getEncoded()177 public abstract byte[] getEncoded() 178 throws CRLException; 179 180 /** 181 * Verifies that this CRL was signed using the 182 * private key that corresponds to the given public key. 183 * 184 * @param key the PublicKey used to carry out the verification. 185 * 186 * @exception NoSuchAlgorithmException on unsupported signature 187 * algorithms. 188 * @exception InvalidKeyException on incorrect key. 189 * @exception NoSuchProviderException if there's no default provider. 190 * @exception SignatureException on signature errors. 191 * @exception CRLException on encoding errors. 192 */ verify(PublicKey key)193 public abstract void verify(PublicKey key) 194 throws CRLException, NoSuchAlgorithmException, 195 InvalidKeyException, NoSuchProviderException, 196 SignatureException; 197 198 /** 199 * Verifies that this CRL was signed using the 200 * private key that corresponds to the given public key. 201 * This method uses the signature verification engine 202 * supplied by the given provider. 203 * 204 * @param key the PublicKey used to carry out the verification. 205 * @param sigProvider the name of the signature provider. 206 * 207 * @exception NoSuchAlgorithmException on unsupported signature 208 * algorithms. 209 * @exception InvalidKeyException on incorrect key. 210 * @exception NoSuchProviderException on incorrect provider. 211 * @exception SignatureException on signature errors. 212 * @exception CRLException on encoding errors. 213 */ verify(PublicKey key, String sigProvider)214 public abstract void verify(PublicKey key, String sigProvider) 215 throws CRLException, NoSuchAlgorithmException, 216 InvalidKeyException, NoSuchProviderException, 217 SignatureException; 218 219 /** 220 * Verifies that this CRL was signed using the 221 * private key that corresponds to the given public key. 222 * This method uses the signature verification engine 223 * supplied by the given provider. Note that the specified Provider object 224 * does not have to be registered in the provider list. 225 * 226 * This method was added to version 1.8 of the Java Platform Standard 227 * Edition. In order to maintain backwards compatibility with existing 228 * service providers, this method is not {@code abstract} 229 * and it provides a default implementation. 230 * 231 * @param key the PublicKey used to carry out the verification. 232 * @param sigProvider the signature provider. 233 * 234 * @exception NoSuchAlgorithmException on unsupported signature 235 * algorithms. 236 * @exception InvalidKeyException on incorrect key. 237 * @exception SignatureException on signature errors. 238 * @exception CRLException on encoding errors. 239 * @since 1.8 240 */ verify(PublicKey key, Provider sigProvider)241 public void verify(PublicKey key, Provider sigProvider) 242 throws CRLException, NoSuchAlgorithmException, 243 InvalidKeyException, SignatureException { 244 // Android-changed: Eliminate infinite recursion in default implementation. 245 // As the javadoc says, this "default implementation" was introduced as to avoid breaking 246 // providers that generate concrete subclasses of this class. 247 // The method X509Impl in the original definition calls this method, thus entering an 248 // infinite recursive loop. This strange behaviour was checked to be not specific to 249 // libcore by running a test with vogar --mode=jvm . See b/31294527. 250 // This is fixed upstream in OpenJDK 10. 251 // 252 // X509CRLImpl.verify(this, key, sigProvider); 253 throw new UnsupportedOperationException( 254 "X509CRL instance doesn't not support X509CRL#verify(PublicKey, Provider)"); 255 } 256 257 /** 258 * Gets the {@code version} (version number) value from the CRL. 259 * The ASN.1 definition for this is: 260 * <pre> 261 * version Version OPTIONAL, 262 * -- if present, must be v2 263 * 264 * Version ::= INTEGER { v1(0), v2(1), v3(2) } 265 * -- v3 does not apply to CRLs but appears for consistency 266 * -- with definition of Version for certs 267 * </pre> 268 * 269 * @return the version number, i.e. 1 or 2. 270 */ getVersion()271 public abstract int getVersion(); 272 273 /** 274 * <strong>Denigrated</strong>, replaced by {@linkplain 275 * #getIssuerX500Principal()}. This method returns the {@code issuer} 276 * as an implementation specific Principal object, which should not be 277 * relied upon by portable code. 278 * 279 * <p> 280 * Gets the {@code issuer} (issuer distinguished name) value from 281 * the CRL. The issuer name identifies the entity that signed (and 282 * issued) the CRL. 283 * 284 * <p>The issuer name field contains an 285 * X.500 distinguished name (DN). 286 * The ASN.1 definition for this is: 287 * <pre> 288 * issuer Name 289 * 290 * Name ::= CHOICE { RDNSequence } 291 * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName 292 * RelativeDistinguishedName ::= 293 * SET OF AttributeValueAssertion 294 * 295 * AttributeValueAssertion ::= SEQUENCE { 296 * AttributeType, 297 * AttributeValue } 298 * AttributeType ::= OBJECT IDENTIFIER 299 * AttributeValue ::= ANY 300 * </pre> 301 * The {@code Name} describes a hierarchical name composed of 302 * attributes, 303 * such as country name, and corresponding values, such as US. 304 * The type of the {@code AttributeValue} component is determined by 305 * the {@code AttributeType}; in general it will be a 306 * {@code directoryString}. A {@code directoryString} is usually 307 * one of {@code PrintableString}, 308 * {@code TeletexString} or {@code UniversalString}. 309 * 310 * @return a Principal whose name is the issuer distinguished name. 311 */ getIssuerDN()312 public abstract Principal getIssuerDN(); 313 314 /** 315 * Returns the issuer (issuer distinguished name) value from the 316 * CRL as an {@code X500Principal}. 317 * <p> 318 * It is recommended that subclasses override this method. 319 * 320 * @return an {@code X500Principal} representing the issuer 321 * distinguished name 322 * @since 1.4 323 */ getIssuerX500Principal()324 public X500Principal getIssuerX500Principal() { 325 if (issuerPrincipal == null) { 326 issuerPrincipal = X509CRLImpl.getIssuerX500Principal(this); 327 } 328 return issuerPrincipal; 329 } 330 331 /** 332 * Gets the {@code thisUpdate} date from the CRL. 333 * The ASN.1 definition for this is: 334 * <pre> 335 * thisUpdate ChoiceOfTime 336 * ChoiceOfTime ::= CHOICE { 337 * utcTime UTCTime, 338 * generalTime GeneralizedTime } 339 * </pre> 340 * 341 * @return the {@code thisUpdate} date from the CRL. 342 */ getThisUpdate()343 public abstract Date getThisUpdate(); 344 345 /** 346 * Gets the {@code nextUpdate} date from the CRL. 347 * 348 * @return the {@code nextUpdate} date from the CRL, or null if 349 * not present. 350 */ getNextUpdate()351 public abstract Date getNextUpdate(); 352 353 /** 354 * Gets the CRL entry, if any, with the given certificate serialNumber. 355 * 356 * @param serialNumber the serial number of the certificate for which a CRL entry 357 * is to be looked up 358 * @return the entry with the given serial number, or null if no such entry 359 * exists in this CRL. 360 * @see X509CRLEntry 361 */ 362 public abstract X509CRLEntry getRevokedCertificate(BigInteger serialNumber)363 getRevokedCertificate(BigInteger serialNumber); 364 365 /** 366 * Get the CRL entry, if any, for the given certificate. 367 * 368 * <p>This method can be used to lookup CRL entries in indirect CRLs, 369 * that means CRLs that contain entries from issuers other than the CRL 370 * issuer. The default implementation will only return entries for 371 * certificates issued by the CRL issuer. Subclasses that wish to 372 * support indirect CRLs should override this method. 373 * 374 * @param certificate the certificate for which a CRL entry is to be looked 375 * up 376 * @return the entry for the given certificate, or null if no such entry 377 * exists in this CRL. 378 * @exception NullPointerException if certificate is null 379 * 380 * @since 1.5 381 */ getRevokedCertificate(X509Certificate certificate)382 public X509CRLEntry getRevokedCertificate(X509Certificate certificate) { 383 X500Principal certIssuer = certificate.getIssuerX500Principal(); 384 X500Principal crlIssuer = getIssuerX500Principal(); 385 if (certIssuer.equals(crlIssuer) == false) { 386 return null; 387 } 388 return getRevokedCertificate(certificate.getSerialNumber()); 389 } 390 391 /** 392 * Gets all the entries from this CRL. 393 * This returns a Set of X509CRLEntry objects. 394 * 395 * @return all the entries or null if there are none present. 396 * @see X509CRLEntry 397 */ getRevokedCertificates()398 public abstract Set<? extends X509CRLEntry> getRevokedCertificates(); 399 400 /** 401 * Gets the DER-encoded CRL information, the 402 * {@code tbsCertList} from this CRL. 403 * This can be used to verify the signature independently. 404 * 405 * @return the DER-encoded CRL information. 406 * @exception CRLException if an encoding error occurs. 407 */ getTBSCertList()408 public abstract byte[] getTBSCertList() throws CRLException; 409 410 /** 411 * Gets the {@code signature} value (the raw signature bits) from 412 * the CRL. 413 * The ASN.1 definition for this is: 414 * <pre> 415 * signature BIT STRING 416 * </pre> 417 * 418 * @return the signature. 419 */ getSignature()420 public abstract byte[] getSignature(); 421 422 /** 423 * Gets the signature algorithm name for the CRL 424 * signature algorithm. An example is the string "SHA256withRSA". 425 * The ASN.1 definition for this is: 426 * <pre> 427 * signatureAlgorithm AlgorithmIdentifier 428 * 429 * AlgorithmIdentifier ::= SEQUENCE { 430 * algorithm OBJECT IDENTIFIER, 431 * parameters ANY DEFINED BY algorithm OPTIONAL } 432 * -- contains a value of the type 433 * -- registered for use with the 434 * -- algorithm object identifier value 435 * </pre> 436 * 437 * <p>The algorithm name is determined from the {@code algorithm} 438 * OID string. 439 * 440 * @return the signature algorithm name. 441 */ getSigAlgName()442 public abstract String getSigAlgName(); 443 444 /** 445 * Gets the signature algorithm OID string from the CRL. 446 * An OID is represented by a set of nonnegative whole numbers separated 447 * by periods. 448 * For example, the string "1.2.840.10040.4.3" identifies the SHA-1 449 * with DSA signature algorithm defined in 450 * <a href="http://www.ietf.org/rfc/rfc3279.txt">RFC 3279: Algorithms and 451 * Identifiers for the Internet X.509 Public Key Infrastructure Certificate 452 * and CRL Profile</a>. 453 * 454 * <p>See {@link #getSigAlgName() getSigAlgName} for 455 * relevant ASN.1 definitions. 456 * 457 * @return the signature algorithm OID string. 458 */ getSigAlgOID()459 public abstract String getSigAlgOID(); 460 461 /** 462 * Gets the DER-encoded signature algorithm parameters from this 463 * CRL's signature algorithm. In most cases, the signature 464 * algorithm parameters are null; the parameters are usually 465 * supplied with the public key. 466 * If access to individual parameter values is needed then use 467 * {@link java.security.AlgorithmParameters AlgorithmParameters} 468 * and instantiate with the name returned by 469 * {@link #getSigAlgName() getSigAlgName}. 470 * 471 * <p>See {@link #getSigAlgName() getSigAlgName} for 472 * relevant ASN.1 definitions. 473 * 474 * @return the DER-encoded signature algorithm parameters, or 475 * null if no parameters are present. 476 */ getSigAlgParams()477 public abstract byte[] getSigAlgParams(); 478 } 479