001 /* X509CRL.java --- X.509 Certificate Revocation List
002 Copyright (C) 1999, 2004 Free Software Foundation, Inc.
003
004 This file is part of GNU Classpath.
005
006 GNU Classpath is free software; you can redistribute it and/or modify
007 it under the terms of the GNU General Public License as published by
008 the Free Software Foundation; either version 2, or (at your option)
009 any later version.
010
011 GNU Classpath is distributed in the hope that it will be useful, but
012 WITHOUT ANY WARRANTY; without even the implied warranty of
013 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
014 General Public License for more details.
015
016 You should have received a copy of the GNU General Public License
017 along with GNU Classpath; see the file COPYING. If not, write to the
018 Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
019 02110-1301 USA.
020
021 Linking this library statically or dynamically with other modules is
022 making a combined work based on this library. Thus, the terms and
023 conditions of the GNU General Public License cover the whole
024 combination.
025
026 As a special exception, the copyright holders of this library give you
027 permission to link this library with independent modules to produce an
028 executable, regardless of the license terms of these independent
029 modules, and to copy and distribute the resulting executable under
030 terms of your choice, provided that you also meet, for each linked
031 independent module, the terms and conditions of the license of that
032 module. An independent module is a module which is not derived from
033 or based on this library. If you modify this library, you may extend
034 this exception to your version of the library, but you are not
035 obligated to do so. If you do not wish to do so, delete this
036 exception statement from your version. */
037
038
039 package java.security.cert;
040
041 import java.math.BigInteger;
042 import java.security.InvalidKeyException;
043 import java.security.NoSuchAlgorithmException;
044 import java.security.NoSuchProviderException;
045 import java.security.Principal;
046 import java.security.PublicKey;
047 import java.security.SignatureException;
048 import java.util.Date;
049 import java.util.Set;
050
051 import javax.security.auth.x500.X500Principal;
052
053 /**
054 The X509CRL class is the abstract class used to manage
055 X.509 Certificate Revocation Lists. The CRL is a list of
056 time stamped entries which indicate which lists have been
057 revoked. The list is signed by a Certificate Authority (CA)
058 and made publically available in a repository.
059
060 Each revoked certificate in the CRL is identified by its
061 certificate serial number. When a piece of code uses a
062 certificate, the certificates validity is checked by
063 validating its signature and determing that it is not
064 only a recently acquired CRL. The recently aquired CRL
065 is depends on the local policy in affect. The CA issues
066 a new CRL periodically and entries are removed as the
067 certificate expiration date is reached
068
069
070 A description of the X.509 v2 CRL follows below from rfc2459.
071
072 "The X.509 v2 CRL syntax is as follows. For signature calculation,
073 the data that is to be signed is ASN.1 DER encoded. ASN.1 DER
074 encoding is a tag, length, value encoding system for each element.
075
076 CertificateList ::= SEQUENCE {
077 tbsCertList TBSCertList,
078 signatureAlgorithm AlgorithmIdentifier,
079 signatureValue BIT STRING }
080
081 TBSCertList ::= SEQUENCE {
082 version Version OPTIONAL,
083 -- if present, shall be v2
084 signature AlgorithmIdentifier,
085 issuer Name,
086 thisUpdate Time,
087 nextUpdate Time OPTIONAL,
088 revokedCertificates SEQUENCE OF SEQUENCE {
089 userCertificate CertificateSerialNumber,
090 revocationDate Time,
091 crlEntryExtensions Extensions OPTIONAL
092 -- if present, shall be v2
093 } OPTIONAL,
094 crlExtensions [0] EXPLICIT Extensions OPTIONAL
095 -- if present, shall be v2
096 }"
097
098 @author Mark Benvenuto
099
100 @since 1.2
101 */
102 public abstract class X509CRL extends CRL implements X509Extension
103 {
104
105 /**
106 Constructs a new X509CRL.
107 */
108 protected X509CRL()
109 {
110 super("X.509");
111 }
112
113 /**
114 Compares this X509CRL to other. It checks if the
115 object if instanceOf X509CRL and then checks if
116 the encoded form matches.
117
118 @param other An Object to test for equality
119
120 @return true if equal, false otherwise
121 */
122 public boolean equals(Object other)
123 {
124 if( other instanceof X509CRL ) {
125 try {
126 X509CRL x = (X509CRL) other;
127 if( getEncoded().length != x.getEncoded().length )
128 return false;
129
130 byte[] b1 = getEncoded();
131 byte[] b2 = x.getEncoded();
132
133 for( int i = 0; i < b1.length; i++ )
134 if( b1[i] != b2[i] )
135 return false;
136
137 } catch( CRLException crle ) {
138 return false;
139 }
140 return true;
141 }
142 return false;
143 }
144
145 /**
146 Returns a hash code for this X509CRL in its encoded
147 form.
148
149 @return A hash code of this class
150 */
151 public int hashCode()
152 {
153 return super.hashCode();
154 }
155
156 /**
157 Gets the DER ASN.1 encoded format for this X.509 CRL.
158
159 @return byte array containg encoded form
160
161 @throws CRLException if an error occurs
162 */
163 public abstract byte[] getEncoded() throws CRLException;
164
165 /**
166 Verifies that this CRL was properly signed with the
167 PublicKey that corresponds to its private key.
168
169 @param key PublicKey to verify with
170
171 @throws CRLException encoding error
172 @throws NoSuchAlgorithmException unsupported algorithm
173 @throws InvalidKeyException incorrect key
174 @throws NoSuchProviderException no provider
175 @throws SignatureException signature error
176 */
177 public abstract void verify(PublicKey key)
178 throws CRLException,
179 NoSuchAlgorithmException,
180 InvalidKeyException,
181 NoSuchProviderException,
182 SignatureException;
183
184 /**
185 Verifies that this CRL was properly signed with the
186 PublicKey that corresponds to its private key and uses
187 the signature engine provided by the provider.
188
189 @param key PublicKey to verify with
190 @param sigProvider Provider to use for signature algorithm
191
192 @throws CRLException encoding error
193 @throws NoSuchAlgorithmException unsupported algorithm
194 @throws InvalidKeyException incorrect key
195 @throws NoSuchProviderException incorrect provider
196 @throws SignatureException signature error
197 */
198 public abstract void verify(PublicKey key,
199 String sigProvider)
200 throws CRLException,
201 NoSuchAlgorithmException,
202 InvalidKeyException,
203 NoSuchProviderException,
204 SignatureException;
205
206 /**
207 Gets the version of this CRL.
208
209 The ASN.1 encoding is:
210
211 version Version OPTIONAL,
212 -- if present, shall be v2
213
214 Version ::= INTEGER { v1(0), v2(1), v3(2) }
215
216 Consult rfc2459 for more information.
217
218 @return the version number, Ex: 1 or 2
219 */
220 public abstract int getVersion();
221
222 /**
223 Returns the issuer (issuer distinguished name) of the CRL.
224 The issuer is the entity who signed and issued the
225 Certificate Revocation List.
226
227 The ASN.1 DER encoding is:
228
229 issuer Name,
230
231 Name ::= CHOICE {
232 RDNSequence }
233
234 RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
235
236 RelativeDistinguishedName ::=
237 SET OF AttributeTypeAndValue
238
239 AttributeTypeAndValue ::= SEQUENCE {
240 type AttributeType,
241 value AttributeValue }
242
243 AttributeType ::= OBJECT IDENTIFIER
244
245 AttributeValue ::= ANY DEFINED BY AttributeType
246
247 DirectoryString ::= CHOICE {
248 teletexString TeletexString (SIZE (1..MAX)),
249 printableString PrintableString (SIZE (1..MAX)),
250 universalString UniversalString (SIZE (1..MAX)),
251 utf8String UTF8String (SIZE (1.. MAX)),
252 bmpString BMPString (SIZE (1..MAX)) }
253
254 Consult rfc2459 for more information.
255
256 @return the issuer in the Principal class
257 */
258 public abstract Principal getIssuerDN();
259
260 /**
261 Returns the thisUpdate date of the CRL.
262
263 The ASN.1 DER encoding is:
264
265 thisUpdate Time,
266
267 Time ::= CHOICE {
268 utcTime UTCTime,
269 generalTime GeneralizedTime }
270
271 Consult rfc2459 for more information.
272
273 @return the thisUpdate date
274 */
275 public abstract Date getThisUpdate();
276
277 /*
278 Gets the nextUpdate field
279
280 The ASN.1 DER encoding is:
281
282 nextUpdate Time OPTIONAL,
283
284 Time ::= CHOICE {
285 utcTime UTCTime,
286 generalTime GeneralizedTime }
287
288 Consult rfc2459 for more information.
289
290 @return the nextUpdate date
291 */
292 public abstract Date getNextUpdate();
293
294 /**
295 Gets the requeste dX509Entry for the specified
296 certificate serial number.
297
298 @return a X509CRLEntry representing the X.509 CRL entry
299 */
300 public abstract X509CRLEntry getRevokedCertificate(BigInteger serialNumber);
301
302 /**
303 Returns a Set of revoked certificates.
304
305 @return a set of revoked certificates.
306 */
307 public abstract Set<? extends X509CRLEntry> getRevokedCertificates();
308
309 /**
310 Returns the DER ASN.1 encoded tbsCertList which is
311 the basic information of the list and associated certificates
312 in the encoded state. See top for more information.
313
314 The ASN.1 DER encoding is:
315
316 tbsCertList TBSCertList,
317
318 Consult rfc2459 for more information.
319
320 @return byte array representing tbsCertList
321 */
322 public abstract byte[] getTBSCertList() throws CRLException;
323
324
325 /**
326 Returns the signature for the CRL.
327
328 The ASN.1 DER encoding is:
329
330 signatureValue BIT STRING
331
332 Consult rfc2459 for more information.
333 */
334 public abstract byte[] getSignature();
335
336 /**
337 Returns the signature algorithm used to sign the CRL.
338 An examples is "SHA-1/DSA".
339
340 The ASN.1 DER encoding is:
341
342 signatureAlgorithm AlgorithmIdentifier,
343
344 AlgorithmIdentifier ::= SEQUENCE {
345 algorithm OBJECT IDENTIFIER,
346 parameters ANY DEFINED BY algorithm OPTIONAL }
347
348 Consult rfc2459 for more information.
349
350 The algorithm name is determined from the OID.
351
352 @return a string with the signature algorithm name
353 */
354 public abstract String getSigAlgName();
355
356 /**
357 Returns the OID for the signature algorithm used.
358 Example "1.2.840.10040.4.3" is return for SHA-1 with DSA.\
359
360 The ASN.1 DER encoding for the example is:
361
362 id-dsa-with-sha1 ID ::= {
363 iso(1) member-body(2) us(840) x9-57 (10040)
364 x9cm(4) 3 }
365
366 Consult rfc2459 for more information.
367
368 @return a string containing the OID.
369 */
370 public abstract String getSigAlgOID();
371
372 /**
373 Returns the AlgorithmParameters in the encoded form
374 for the signature algorithm used.
375
376 If access to the parameters is need, create an
377 instance of AlgorithmParameters.
378
379 @return byte array containing algorithm parameters, null
380 if no parameters are present in CRL
381 */
382 public abstract byte[] getSigAlgParams();
383
384 // 1.4 instance methods.
385 // ------------------------------------------------------------------------
386
387 /**
388 * Returns the X.500 distinguished name of this CRL's issuer.
389 *
390 * @return The issuer's X.500 distinguished name.
391 * @since JDK 1.4
392 */
393 public X500Principal getIssuerX500Principal()
394 {
395 throw new UnsupportedOperationException();
396 }
397 }