public class

RFC3280CertPathUtilities

extends Object
java.lang.Object
   ↳ org.bouncycastle.jce.provider.RFC3280CertPathUtilities

Summary

Constants
String ANY_POLICY
int CRL_SIGN
int KEY_CERT_SIGN
Fields
protected static final String AUTHORITY_KEY_IDENTIFIER
protected static final String BASIC_CONSTRAINTS
protected static final String CERTIFICATE_POLICIES
protected static final String CRL_DISTRIBUTION_POINTS
protected static final String CRL_NUMBER
protected static final String DELTA_CRL_INDICATOR
protected static final String FRESHEST_CRL
protected static final String INHIBIT_ANY_POLICY
protected static final String ISSUING_DISTRIBUTION_POINT
protected static final String KEY_USAGE
protected static final String NAME_CONSTRAINTS
protected static final String POLICY_CONSTRAINTS
protected static final String POLICY_MAPPINGS
protected static final String SUBJECT_ALTERNATIVE_NAME
protected static final String[] crlReasons
Public Constructors
RFC3280CertPathUtilities()
Protected Methods
static void checkCRLs(ExtendedPKIXParameters paramsPKIX, X509Certificate cert, Date validDate, X509Certificate sign, PublicKey workingPublicKey, List certPathCerts)
Checks a certificate if it is revoked.
static PKIXPolicyNode prepareCertB(CertPath certPath, int index, List[] policyNodes, PKIXPolicyNode validPolicyTree, int policyMapping)
static void prepareNextCertA(CertPath certPath, int index)
static void prepareNextCertG(CertPath certPath, int index, PKIXNameConstraintValidator nameConstraintValidator)
static int prepareNextCertH1(CertPath certPath, int index, int explicitPolicy)
static int prepareNextCertH2(CertPath certPath, int index, int policyMapping)
static int prepareNextCertH3(CertPath certPath, int index, int inhibitAnyPolicy)
static int prepareNextCertI1(CertPath certPath, int index, int explicitPolicy)
static int prepareNextCertI2(CertPath certPath, int index, int policyMapping)
static int prepareNextCertJ(CertPath certPath, int index, int inhibitAnyPolicy)
static void prepareNextCertK(CertPath certPath, int index)
static int prepareNextCertL(CertPath certPath, int index, int maxPathLength)
static int prepareNextCertM(CertPath certPath, int index, int maxPathLength)
static void prepareNextCertN(CertPath certPath, int index)
static void prepareNextCertO(CertPath certPath, int index, Set criticalExtensions, List pathCheckers)
static Set processCRLA1i(Date currentDate, ExtendedPKIXParameters paramsPKIX, X509Certificate cert, X509CRL crl)
static Set[] processCRLA1ii(Date currentDate, ExtendedPKIXParameters paramsPKIX, X509Certificate cert, X509CRL crl)
static void processCRLB1(DistributionPoint dp, Object cert, X509CRL crl)
If the DP includes cRLIssuer, then verify that the issuer field in the complete CRL matches cRLIssuer in the DP and that the complete CRL contains an issuing distribution point extension with the indirectCRL boolean asserted.
static void processCRLB2(DistributionPoint dp, Object cert, X509CRL crl)
If the complete CRL includes an issuing distribution point (IDP) CRL extension check the following:

(i) If the distribution point name is present in the IDP CRL extension and the distribution field is present in the DP, then verify that one of the names in the IDP matches one of the names in the DP.

static void processCRLC(X509CRL deltaCRL, X509CRL completeCRL, ExtendedPKIXParameters pkixParams)
If use-deltas is set, verify the issuer and scope of the delta CRL.
static ReasonsMask processCRLD(X509CRL crl, DistributionPoint dp)
static Set processCRLF(X509CRL crl, Object cert, X509Certificate defaultCRLSignCert, PublicKey defaultCRLSignKey, ExtendedPKIXParameters paramsPKIX, List certPathCerts)
Obtain and validate the certification path for the complete CRL issuer.
static PublicKey processCRLG(X509CRL crl, Set keys)
static X509CRL processCRLH(Set deltacrls, PublicKey key)
static void processCRLI(Date validDate, X509CRL deltacrl, Object cert, CertStatus certStatus, ExtendedPKIXParameters pkixParams)
static void processCRLJ(Date validDate, X509CRL completecrl, Object cert, CertStatus certStatus)
static void processCertA(CertPath certPath, ExtendedPKIXParameters paramsPKIX, int index, PublicKey workingPublicKey, boolean verificationAlreadyPerformed, X500Principal workingIssuerName, X509Certificate sign)
static void processCertBC(CertPath certPath, int index, PKIXNameConstraintValidator nameConstraintValidator)
static PKIXPolicyNode processCertD(CertPath certPath, int index, Set acceptablePolicies, PKIXPolicyNode validPolicyTree, List[] policyNodes, int inhibitAnyPolicy)
static PKIXPolicyNode processCertE(CertPath certPath, int index, PKIXPolicyNode validPolicyTree)
static void processCertF(CertPath certPath, int index, PKIXPolicyNode validPolicyTree, int explicitPolicy)
static int wrapupCertA(int explicitPolicy, X509Certificate cert)
static int wrapupCertB(CertPath certPath, int index, int explicitPolicy)
static void wrapupCertF(CertPath certPath, int index, List pathCheckers, Set criticalExtensions)
static PKIXPolicyNode wrapupCertG(CertPath certPath, ExtendedPKIXParameters paramsPKIX, Set userInitialPolicySet, int index, List[] policyNodes, PKIXPolicyNode validPolicyTree, Set acceptablePolicies)
[Expand]
Inherited Methods
From class java.lang.Object

Constants

protected static final String ANY_POLICY

Constant Value: "2.5.29.32.0"

protected static final int CRL_SIGN

Constant Value: 6 (0x00000006)

protected static final int KEY_CERT_SIGN

Constant Value: 5 (0x00000005)

Fields

protected static final String AUTHORITY_KEY_IDENTIFIER

protected static final String BASIC_CONSTRAINTS

protected static final String CERTIFICATE_POLICIES

protected static final String CRL_DISTRIBUTION_POINTS

protected static final String CRL_NUMBER

protected static final String DELTA_CRL_INDICATOR

protected static final String FRESHEST_CRL

protected static final String INHIBIT_ANY_POLICY

protected static final String ISSUING_DISTRIBUTION_POINT

protected static final String KEY_USAGE

protected static final String NAME_CONSTRAINTS

protected static final String POLICY_CONSTRAINTS

protected static final String POLICY_MAPPINGS

protected static final String SUBJECT_ALTERNATIVE_NAME

protected static final String[] crlReasons

Public Constructors

public RFC3280CertPathUtilities ()

Protected Methods

protected static void checkCRLs (ExtendedPKIXParameters paramsPKIX, X509Certificate cert, Date validDate, X509Certificate sign, PublicKey workingPublicKey, List certPathCerts)

Checks a certificate if it is revoked.

Parameters
paramsPKIX PKIX parameters.
cert Certificate to check if it is revoked.
validDate The date when the certificate revocation status should be checked.
sign The issuer certificate of the certificate cert.
workingPublicKey The public key of the issuer certificate sign.
certPathCerts The certificates of the certification path.
Throws
AnnotatedException if the certificate is revoked or the status cannot be checked or some error occurs.

protected static PKIXPolicyNode prepareCertB (CertPath certPath, int index, List[] policyNodes, PKIXPolicyNode validPolicyTree, int policyMapping)

Throws
CertPathValidatorException

protected static void prepareNextCertA (CertPath certPath, int index)

Throws
CertPathValidatorException

protected static void prepareNextCertG (CertPath certPath, int index, PKIXNameConstraintValidator nameConstraintValidator)

Throws
CertPathValidatorException

protected static int prepareNextCertH1 (CertPath certPath, int index, int explicitPolicy)

protected static int prepareNextCertH2 (CertPath certPath, int index, int policyMapping)

protected static int prepareNextCertH3 (CertPath certPath, int index, int inhibitAnyPolicy)

protected static int prepareNextCertI1 (CertPath certPath, int index, int explicitPolicy)

Throws
CertPathValidatorException

protected static int prepareNextCertI2 (CertPath certPath, int index, int policyMapping)

Throws
CertPathValidatorException

protected static int prepareNextCertJ (CertPath certPath, int index, int inhibitAnyPolicy)

Throws
CertPathValidatorException

protected static void prepareNextCertK (CertPath certPath, int index)

Throws
CertPathValidatorException

protected static int prepareNextCertL (CertPath certPath, int index, int maxPathLength)

Throws
CertPathValidatorException

protected static int prepareNextCertM (CertPath certPath, int index, int maxPathLength)

Throws
CertPathValidatorException

protected static void prepareNextCertN (CertPath certPath, int index)

Throws
CertPathValidatorException

protected static void prepareNextCertO (CertPath certPath, int index, Set criticalExtensions, List pathCheckers)

Throws
CertPathValidatorException

protected static Set processCRLA1i (Date currentDate, ExtendedPKIXParameters paramsPKIX, X509Certificate cert, X509CRL crl)

Throws
AnnotatedException

protected static Set[] processCRLA1ii (Date currentDate, ExtendedPKIXParameters paramsPKIX, X509Certificate cert, X509CRL crl)

Throws
AnnotatedException

protected static void processCRLB1 (DistributionPoint dp, Object cert, X509CRL crl)

If the DP includes cRLIssuer, then verify that the issuer field in the complete CRL matches cRLIssuer in the DP and that the complete CRL contains an issuing distribution point extension with the indirectCRL boolean asserted. Otherwise, verify that the CRL issuer matches the certificate issuer.

Parameters
dp The distribution point.
cert The certificate ot attribute certificate.
crl The CRL for cert.
Throws
AnnotatedException if one of the above conditions does not apply or an error occurs.

protected static void processCRLB2 (DistributionPoint dp, Object cert, X509CRL crl)

If the complete CRL includes an issuing distribution point (IDP) CRL extension check the following:

(i) If the distribution point name is present in the IDP CRL extension and the distribution field is present in the DP, then verify that one of the names in the IDP matches one of the names in the DP. If the distribution point name is present in the IDP CRL extension and the distribution field is omitted from the DP, then verify that one of the names in the IDP matches one of the names in the cRLIssuer field of the DP.

(ii) If the onlyContainsUserCerts boolean is asserted in the IDP CRL extension, verify that the certificate does not include the basic constraints extension with the cA boolean asserted.

(iii) If the onlyContainsCACerts boolean is asserted in the IDP CRL extension, verify that the certificate includes the basic constraints extension with the cA boolean asserted.

(iv) Verify that the onlyContainsAttributeCerts boolean is not asserted.

Parameters
dp The distribution point.
cert The certificate.
crl The CRL.
Throws
AnnotatedException if one of the conditions is not met or an error occurs.

protected static void processCRLC (X509CRL deltaCRL, X509CRL completeCRL, ExtendedPKIXParameters pkixParams)

If use-deltas is set, verify the issuer and scope of the delta CRL.

Parameters
deltaCRL The delta CRL.
completeCRL The complete CRL.
pkixParams The PKIX paramaters.
Throws
AnnotatedException if an exception occurs.

protected static ReasonsMask processCRLD (X509CRL crl, DistributionPoint dp)

Throws
AnnotatedException

protected static Set processCRLF (X509CRL crl, Object cert, X509Certificate defaultCRLSignCert, PublicKey defaultCRLSignKey, ExtendedPKIXParameters paramsPKIX, List certPathCerts)

Obtain and validate the certification path for the complete CRL issuer. If a key usage extension is present in the CRL issuer's certificate, verify that the cRLSign bit is set.

Parameters
crl CRL which contains revocation information for the certificate cert.
cert The attribute certificate or certificate to check if it is revoked.
defaultCRLSignCert The issuer certificate of the certificate cert.
defaultCRLSignKey The public key of the issuer certificate defaultCRLSignCert.
paramsPKIX paramsPKIX PKIX parameters.
certPathCerts The certificates on the certification path.
Returns
  • A Set with all keys of possible CRL issuer certificates.
Throws
AnnotatedException if the CRL is not valid or the status cannot be checked or some error occurs.

protected static PublicKey processCRLG (X509CRL crl, Set keys)

Throws
AnnotatedException

protected static X509CRL processCRLH (Set deltacrls, PublicKey key)

Throws
AnnotatedException

protected static void processCRLI (Date validDate, X509CRL deltacrl, Object cert, CertStatus certStatus, ExtendedPKIXParameters pkixParams)

Throws
AnnotatedException

protected static void processCRLJ (Date validDate, X509CRL completecrl, Object cert, CertStatus certStatus)

Throws
AnnotatedException

protected static void processCertA (CertPath certPath, ExtendedPKIXParameters paramsPKIX, int index, PublicKey workingPublicKey, boolean verificationAlreadyPerformed, X500Principal workingIssuerName, X509Certificate sign)

Throws
ExtCertPathValidatorException

protected static void processCertBC (CertPath certPath, int index, PKIXNameConstraintValidator nameConstraintValidator)

Throws
CertPathValidatorException

protected static PKIXPolicyNode processCertD (CertPath certPath, int index, Set acceptablePolicies, PKIXPolicyNode validPolicyTree, List[] policyNodes, int inhibitAnyPolicy)

Throws
CertPathValidatorException

protected static PKIXPolicyNode processCertE (CertPath certPath, int index, PKIXPolicyNode validPolicyTree)

Throws
CertPathValidatorException

protected static void processCertF (CertPath certPath, int index, PKIXPolicyNode validPolicyTree, int explicitPolicy)

Throws
CertPathValidatorException

protected static int wrapupCertA (int explicitPolicy, X509Certificate cert)

protected static int wrapupCertB (CertPath certPath, int index, int explicitPolicy)

Throws
CertPathValidatorException

protected static void wrapupCertF (CertPath certPath, int index, List pathCheckers, Set criticalExtensions)

Throws
CertPathValidatorException

protected static PKIXPolicyNode wrapupCertG (CertPath certPath, ExtendedPKIXParameters paramsPKIX, Set userInitialPolicySet, int index, List[] policyNodes, PKIXPolicyNode validPolicyTree, Set acceptablePolicies)

Throws
CertPathValidatorException