1. /*

  2.  * @(#)X509CRL.java	1.14 01/11/29

  3.  *

  4.  * Copyright 2002 Sun Microsystems, Inc. All rights reserved.

  5.  * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.

  6.  */

  7.  

  8. package java.security.cert;

  9. 

  10. import java.security.NoSuchAlgorithmException;

  11. import java.security.NoSuchProviderException;

  12. import java.security.InvalidKeyException;

  13. import java.security.SignatureException;

  14. import java.security.Principal;

  15. import java.security.PublicKey;

  16. 

  17. import java.math.BigInteger;

  18. import java.util.Date;

  19. import java.util.Set;

  20. 

  21. /**

  22.  * <p>

  23.  * Abstract class for an X.509 Certificate Revocation List (CRL).

  24.  * A CRL is a time-stamped list identifying revoked certificates.

  25.  * It is signed by a Certificate Authority (CA) and made freely

  26.  * available in a public repository.  

  27.  * 

  28.  * <p>Each revoked certificate is

  29.  * identified in a CRL by its certificate serial number. When a

  30.  * certificate-using system uses a certificate (e.g., for verifying a

  31.  * remote user's digital signature), that system not only checks the

  32.  * certificate signature and validity but also acquires a suitably-

  33.  * recent CRL and checks that the certificate serial number is not on

  34.  * that CRL.  The meaning of "suitably-recent" may vary with local

  35.  * policy, but it usually means the most recently-issued CRL.  A CA

  36.  * issues a new CRL on a regular periodic basis (e.g., hourly, daily, or

  37.  * weekly).  Entries are added to CRLs as revocations occur, and an

  38.  * entry may be removed when the certificate expiration date is reached.

  39.  * <p>

  40.  * The X.509 v2 CRL format is described below in ASN.1:

  41.  * <pre>

  42.  * CertificateList  ::=  SEQUENCE  {

  43.  *     tbsCertList          TBSCertList,

  44.  *     signatureAlgorithm   AlgorithmIdentifier,

  45.  *     signature            BIT STRING  }

  46.  * </pre>

  47.  * <p>

  48.  * A good decription and profiling is provided in the IETF PKIX WG

  49.  * draft, Part I:  X.509 Certificate and CRL Profile,

  50.  * <draft-ietf-pkix-ipki-part1-07.txt>.

  51.  * <p>

  52.  * The ASN.1 definition of <code>tbsCertList</code> is:

  53.  * <pre>

  54.  * TBSCertList  ::=  SEQUENCE  {

  55.  *     version                 Version OPTIONAL,

  56.  *                             -- if present, must be v2

  57.  *     signature               AlgorithmIdentifier,

  58.  *     issuer                  Name,

  59.  *     thisUpdate              ChoiceOfTime,

  60.  *     nextUpdate              ChoiceOfTime OPTIONAL,

  61.  *     revokedCertificates     SEQUENCE OF SEQUENCE  {

  62.  *         userCertificate         CertificateSerialNumber,

  63.  *         revocationDate          ChoiceOfTime,

  64.  *         crlEntryExtensions      Extensions OPTIONAL

  65.  *                                 -- if present, must be v2

  66.  *         }  OPTIONAL,

  67.  *     crlExtensions           [0]  EXPLICIT Extensions OPTIONAL

  68.  *                                  -- if present, must be v2

  69.  *     }

  70.  * </pre>

  71.  * <p>

  72.  * CRLs are instantiated using a certificate factory. The following is an

  73.  * example of how to instantiate an X.509 CRL:

  74.  * <pre><code> 

  75.  * InputStream inStream = new FileInputStream("fileName-of-crl");

  76.  * CertificateFactory cf = CertificateFactory.getInstance("X.509");

  77.  * X509CRL crl = (X509CRL)cf.generateCRL(inStream);

  78.  * inStream.close();

  79.  * </code></pre>

  80.  *

  81.  * @author Hemma Prafullchandra

  82.  *

  83.  * @version 1.14

  84.  *

  85.  * @see CRL

  86.  * @see CertificateFactory

  87.  * @see X509Extension

  88.  */

  89. 

  90. public abstract class X509CRL extends CRL implements X509Extension {

  91. 

  92.     /**

  93.      * Constructor for X.509 CRLs.

  94.      */

  95.     protected X509CRL() {

  96. 	super("X.509");

  97.     }

  98. 

  99.     /**

  100.      * Compares this CRL for equality with the given 

  101.      * object. If the <code>other</code> object is an 

  102.      * <code>instanceof</code> <code>X509CRL</code>, then

  103.      * its encoded form is retrieved and compared with the

  104.      * encoded form of this CRL.

  105.      * 

  106.      * @param other the object to test for equality with this CRL.

  107.      * 

  108.      * @return true iff the encoded forms of the two CRLs

  109.      * match, false otherwise.

  110.      */  

  111.     public boolean equals(Object other) {

  112.         if (this == other)

  113.             return true;

  114.         if (!(other instanceof X509CRL))

  115.             return false;

  116.         try {

  117.             byte[] thisCRL = this.getEncoded();

  118.             byte[] otherCRL = ((X509CRL)other).getEncoded();

  119. 

  120.             if (thisCRL.length != otherCRL.length)

  121.                 return false;

  122.             for (int i = 0; i < thisCRL.length; i++)

  123.                  if (thisCRL[i] != otherCRL[i])

  124.                      return false;

  125.             return true;

  126.         } catch (CRLException e) {

  127. 	    return false;

  128.         }

  129.     }

  130. 

  131.     /**

  132.      * Returns a hashcode value for this CRL from its

  133.      * encoded form.

  134.      *

  135.      * @return the hashcode value.

  136.      */  

  137.     public int hashCode() {

  138.         int     retval = 0;

  139.         try {

  140.             byte[] crlData = this.getEncoded();

  141.             for (int i = 1; i < crlData.length; i++) {

  142.                  retval += crlData[i] * i;

  143.             }

  144.             return(retval);

  145.         } catch (CRLException e) {

  146.             return(retval);

  147.         }

  148.     }

  149. 

  150.     /**

  151.      * Returns the ASN.1 DER-encoded form of this CRL.

  152.      *

  153.      * @exception CRLException if an encoding error occurs.

  154.      */

  155.     public abstract byte[] getEncoded()

  156.         throws CRLException;

  157. 

  158.     /**

  159.      * Verifies that this CRL was signed using the 

  160.      * private key that corresponds to the given public key.

  161.      *

  162.      * @param key the PublicKey used to carry out the verification.

  163.      *

  164.      * @exception NoSuchAlgorithmException on unsupported signature

  165.      * algorithms.

  166.      * @exception InvalidKeyException on incorrect key.

  167.      * @exception NoSuchProviderException if there's no default provider.

  168.      * @exception SignatureException on signature errors.

  169.      * @exception CRLException on encoding errors.

  170.      */  

  171.     public abstract void verify(PublicKey key)

  172.         throws CRLException,  NoSuchAlgorithmException,

  173.         InvalidKeyException, NoSuchProviderException,

  174.         SignatureException;

  175. 

  176.     /**

  177.      * Verifies that this CRL was signed using the 

  178.      * private key that corresponds to the given public key.

  179.      * This method uses the signature verification engine

  180.      * supplied by the given provider.

  181.      *

  182.      * @param key the PublicKey used to carry out the verification.

  183.      * @param sigProvider the name of the signature provider.

  184.      * 

  185.      * @exception NoSuchAlgorithmException on unsupported signature

  186.      * algorithms.

  187.      * @exception InvalidKeyException on incorrect key.

  188.      * @exception NoSuchProviderException on incorrect provider.

  189.      * @exception SignatureException on signature errors.

  190.      * @exception CRLException on encoding errors.

  191.      */  

  192.     public abstract void verify(PublicKey key, String sigProvider)

  193.         throws CRLException, NoSuchAlgorithmException,

  194.         InvalidKeyException, NoSuchProviderException,

  195.         SignatureException;

  196. 

  197.     /**

  198.      * Gets the <code>version</code> (version number) value from the CRL.

  199.      * The ASN.1 definition for this is:

  200.      * <pre>

  201.      * version    Version OPTIONAL,

  202.      *             -- if present, must be v2<p>

  203.      * Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }

  204.      *             -- v3 does not apply to CRLs but appears for consistency

  205.      *             -- with definition of Version for certs

  206.      * </pre>

  207.      *

  208.      * @return the version number, i.e. 1 or 2.

  209.      */

  210.     public abstract int getVersion();

  211. 

  212.     /**

  213.      * Gets the <code>issuer</code> (issuer distinguished name) value from 

  214.      * the CRL. The issuer name identifies the entity that signed (and

  215.      * issued) the CRL. 

  216.      * 

  217.      * <p>The issuer name field contains an

  218.      * X.500 distinguished name (DN).

  219.      * The ASN.1 definition for this is:

  220.      * <pre>

  221.      * issuer    Name

  222.      *

  223.      * Name ::= CHOICE { RDNSequence }

  224.      * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName

  225.      * RelativeDistinguishedName ::=

  226.      *     SET OF AttributeValueAssertion

  227.      *

  228.      * AttributeValueAssertion ::= SEQUENCE {

  229.      *                               AttributeType,

  230.      *                               AttributeValue }

  231.      * AttributeType ::= OBJECT IDENTIFIER

  232.      * AttributeValue ::= ANY

  233.      * </pre>

  234.      * The <code>Name</code> describes a hierarchical name composed of

  235.      * attributes,

  236.      * such as country name, and corresponding values, such as US.

  237.      * The type of the <code>AttributeValue</code> component is determined by

  238.      * the <code>AttributeType</code> in general it will be a 

  239.      * <code>directoryString</code>. A <code>directoryString</code> is usually 

  240.      * one of <code>PrintableString</code>,

  241.      * <code>TeletexString</code> or <code>UniversalString</code>.

  242.      * 

  243.      * @return a Principal whose name is the issuer distinguished name.

  244.      */

  245.     public abstract Principal getIssuerDN();

  246. 

  247.     /**

  248.      * Gets the <code>thisUpdate</code> date from the CRL.

  249.      * The ASN.1 definition for this is:

  250.      * <pre>

  251.      * thisUpdate   ChoiceOfTime

  252.      * ChoiceOfTime ::= CHOICE {

  253.      *     utcTime        UTCTime,

  254.      *     generalTime    GeneralizedTime }

  255.      * </pre>

  256.      *

  257.      * @return the <code>thisUpdate</code> date from the CRL.

  258.      */

  259.     public abstract Date getThisUpdate();

  260. 

  261.     /**

  262.      * Gets the <code>nextUpdate</code> date from the CRL.

  263.      *

  264.      * @return the <code>nextUpdate</code> date from the CRL, or null if

  265.      * not present.

  266.      */

  267.     public abstract Date getNextUpdate();

  268. 

  269.     /**

  270.      * Gets the CRL entry with the given <code>serialNumber</code>

  271.      * from this CRL.

  272.      *

  273.      * @return the entry with the given serial number, or null if no such entry

  274.      * exists in this CRL.

  275.      * @see X509CRLEntry

  276.      */

  277.     public abstract X509CRLEntry

  278.         getRevokedCertificate(BigInteger serialNumber);

  279.   

  280.     /**

  281.      * Gets all the entries from this CRL.

  282.      * This returns a Set of X509CRLEntry objects.

  283.      *

  284.      * @return all the entries or null if there are none present.

  285.      * @see X509CRLEntry

  286.      */

  287.     public abstract Set getRevokedCertificates();

  288.   

  289.     /**

  290.      * Gets the DER-encoded CRL information, the

  291.      * <code>tbsCertList</code> from this CRL.

  292.      * This can be used to verify the signature independently.

  293.      *

  294.      * @return the DER-encoded CRL information.

  295.      * @exception CRLException if an encoding error occurs.

  296.      */

  297.     public abstract byte[] getTBSCertList() throws CRLException;

  298. 

  299.     /**

  300.      * Gets the <code>signature</code> value (the raw signature bits) from 

  301.      * the CRL.

  302.      * The ASN.1 definition for this is:

  303.      * <pre>

  304.      * signature     BIT STRING  

  305.      * </pre>

  306.      *

  307.      * @return the signature.

  308.      */

  309.     public abstract byte[] getSignature();

  310. 

  311.     /**

  312.      * Gets the signature algorithm name for the CRL

  313.      * signature algorithm. An example is the string "SHA-1/DSA".

  314.      * The ASN.1 definition for this is:

  315.      * <pre>

  316.      * signatureAlgorithm   AlgorithmIdentifier<p>

  317.      * AlgorithmIdentifier  ::=  SEQUENCE  {

  318.      *     algorithm               OBJECT IDENTIFIER,

  319.      *     parameters              ANY DEFINED BY algorithm OPTIONAL  }

  320.      *                             -- contains a value of the type

  321.      *                             -- registered for use with the

  322.      *                             -- algorithm object identifier value

  323.      * </pre>

  324.      * 

  325.      * <p>The algorithm name is determined from the <code>algorithm</code>

  326.      * OID string.

  327.      *

  328.      * @return the signature algorithm name.

  329.      */

  330.     public abstract String getSigAlgName();

  331. 

  332.     /**

  333.      * Gets the signature algorithm OID string from the CRL.

  334.      * An OID is represented by a set of positive whole numbers separated

  335.      * by periods.

  336.      * For example, the string "1.2.840.10040.4.3" identifies the SHA-1

  337.      * with DSA signature algorithm, as per the PKIX part I.

  338.      * 

  339.      * <p>See {@link getSigAlgName()#getSigAlgName} for 

  340.      * relevant ASN.1 definitions.

  341.      *

  342.      * @return the signature algorithm OID string.

  343.      */

  344.     public abstract String getSigAlgOID();

  345. 

  346.     /**

  347.      * Gets the DER-encoded signature algorithm parameters from this

  348.      * CRL's signature algorithm. In most cases, the signature

  349.      * algorithm parameters are null; the parameters are usually

  350.      * supplied with the public key.

  351.      * If access to individual parameter values is needed then use

  352.      * {@link java.security.AlgorithmParameters AlgorithmParameters}

  353.      * and instantiate with the name returned by

  354.      * {@link getSigAlgName()#getSigAlgName}.

  355.      * 

  356.      * <p>See {@link getSigAlgName()#getSigAlgName} for 

  357.      * relevant ASN.1 definitions.

  358.      *

  359.      * @return the DER-encoded signature algorithm parameters, or

  360.      *         null if no parameters are present.

  361.      */

  362.     public abstract byte[] getSigAlgParams();

  363. }