1. /*

  2.  * @(#)X509CRL.java	1.18 00/02/02

  3.  *

  4.  * Copyright 1997-2000 Sun Microsystems, Inc. All Rights Reserved.

  5.  * 

  6.  * This software is the proprietary information of Sun Microsystems, Inc.  

  7.  * Use is subject to license terms.

  8.  * 

  9.  */

  10.  

  11. package java.security.cert;

  12. 

  13. import java.security.NoSuchAlgorithmException;

  14. import java.security.NoSuchProviderException;

  15. import java.security.InvalidKeyException;

  16. import java.security.SignatureException;

  17. import java.security.Principal;

  18. import java.security.PublicKey;

  19. 

  20. import java.math.BigInteger;

  21. import java.util.Date;

  22. import java.util.Set;

  23. 

  24. /**

  25.  * <p>

  26.  * Abstract class for an X.509 Certificate Revocation List (CRL).

  27.  * A CRL is a time-stamped list identifying revoked certificates.

  28.  * It is signed by a Certificate Authority (CA) and made freely

  29.  * available in a public repository.  

  30.  * 

  31.  * <p>Each revoked certificate is

  32.  * identified in a CRL by its certificate serial number. When a

  33.  * certificate-using system uses a certificate (e.g., for verifying a

  34.  * remote user's digital signature), that system not only checks the

  35.  * certificate signature and validity but also acquires a suitably-

  36.  * recent CRL and checks that the certificate serial number is not on

  37.  * that CRL.  The meaning of "suitably-recent" may vary with local

  38.  * policy, but it usually means the most recently-issued CRL.  A CA

  39.  * issues a new CRL on a regular periodic basis (e.g., hourly, daily, or

  40.  * weekly).  Entries are added to CRLs as revocations occur, and an

  41.  * entry may be removed when the certificate expiration date is reached.

  42.  * <p>

  43.  * The X.509 v2 CRL format is described below in ASN.1:

  44.  * <pre>

  45.  * CertificateList  ::=  SEQUENCE  {

  46.  *     tbsCertList          TBSCertList,

  47.  *     signatureAlgorithm   AlgorithmIdentifier,

  48.  *     signature            BIT STRING  }

  49.  * </pre>

  50.  * <p>

  51.  * More information can be found in RFC 2459,

  52.  * "Internet X.509 Public Key Infrastructure Certificate and CRL

  53.  * Profile" at <A HREF="http://www.ietf.org/rfc/rfc2459.txt">

  54.  * http://www.ietf.org/rfc/rfc2459.txt </A>.    

  55.  * <p>

  56.  * The ASN.1 definition of <code>tbsCertList</code> is:

  57.  * <pre>

  58.  * TBSCertList  ::=  SEQUENCE  {

  59.  *     version                 Version OPTIONAL,

  60.  *                             -- if present, must be v2

  61.  *     signature               AlgorithmIdentifier,

  62.  *     issuer                  Name,

  63.  *     thisUpdate              ChoiceOfTime,

  64.  *     nextUpdate              ChoiceOfTime OPTIONAL,

  65.  *     revokedCertificates     SEQUENCE OF SEQUENCE  {

  66.  *         userCertificate         CertificateSerialNumber,

  67.  *         revocationDate          ChoiceOfTime,

  68.  *         crlEntryExtensions      Extensions OPTIONAL

  69.  *                                 -- if present, must be v2

  70.  *         }  OPTIONAL,

  71.  *     crlExtensions           [0]  EXPLICIT Extensions OPTIONAL

  72.  *                                  -- if present, must be v2

  73.  *     }

  74.  * </pre>

  75.  * <p>

  76.  * CRLs are instantiated using a certificate factory. The following is an

  77.  * example of how to instantiate an X.509 CRL:

  78.  * <pre><code> 

  79.  * InputStream inStream = new FileInputStream("fileName-of-crl");

  80.  * CertificateFactory cf = CertificateFactory.getInstance("X.509");

  81.  * X509CRL crl = (X509CRL)cf.generateCRL(inStream);

  82.  * inStream.close();

  83.  * </code></pre>

  84.  *

  85.  * @author Hemma Prafullchandra

  86.  *

  87.  * @version 1.18

  88.  *

  89.  * @see CRL

  90.  * @see CertificateFactory

  91.  * @see X509Extension

  92.  */

  93. 

  94. public abstract class X509CRL extends CRL implements X509Extension {

  95. 

  96.     /**

  97.      * Constructor for X.509 CRLs.

  98.      */

  99.     protected X509CRL() {

  100. 	super("X.509");

  101.     }

  102. 

  103.     /**

  104.      * Compares this CRL for equality with the given 

  105.      * object. If the <code>other</code> object is an 

  106.      * <code>instanceof</code> <code>X509CRL</code>, then

  107.      * its encoded form is retrieved and compared with the

  108.      * encoded form of this CRL.

  109.      * 

  110.      * @param other the object to test for equality with this CRL.

  111.      * 

  112.      * @return true iff the encoded forms of the two CRLs

  113.      * match, false otherwise.

  114.      */  

  115.     public boolean equals(Object other) {

  116.         if (this == other)

  117.             return true;

  118.         if (!(other instanceof X509CRL))

  119.             return false;

  120.         try {

  121.             byte[] thisCRL = this.getEncoded();

  122.             byte[] otherCRL = ((X509CRL)other).getEncoded();

  123. 

  124.             if (thisCRL.length != otherCRL.length)

  125.                 return false;

  126.             for (int i = 0; i < thisCRL.length; i++)

  127.                  if (thisCRL[i] != otherCRL[i])

  128.                      return false;

  129.             return true;

  130.         } catch (CRLException e) {

  131. 	    return false;

  132.         }

  133.     }

  134. 

  135.     /**

  136.      * Returns a hashcode value for this CRL from its

  137.      * encoded form.

  138.      *

  139.      * @return the hashcode value.

  140.      */  

  141.     public int hashCode() {

  142.         int     retval = 0;

  143.         try {

  144.             byte[] crlData = this.getEncoded();

  145.             for (int i = 1; i < crlData.length; i++) {

  146.                  retval += crlData[i] * i;

  147.             }

  148.             return(retval);

  149.         } catch (CRLException e) {

  150.             return(retval);

  151.         }

  152.     }

  153. 

  154.     /**

  155.      * Returns the ASN.1 DER-encoded form of this CRL.

  156.      *

  157.      * @return the encoded form of this certificate

  158.      * @exception CRLException if an encoding error occurs.

  159.      */

  160.     public abstract byte[] getEncoded()

  161.         throws CRLException;

  162. 

  163.     /**

  164.      * Verifies that this CRL was signed using the 

  165.      * private key that corresponds to the given public key.

  166.      *

  167.      * @param key the PublicKey used to carry out the verification.

  168.      *

  169.      * @exception NoSuchAlgorithmException on unsupported signature

  170.      * algorithms.

  171.      * @exception InvalidKeyException on incorrect key.

  172.      * @exception NoSuchProviderException if there's no default provider.

  173.      * @exception SignatureException on signature errors.

  174.      * @exception CRLException on encoding errors.

  175.      */  

  176.     public abstract void verify(PublicKey key)

  177.         throws CRLException,  NoSuchAlgorithmException,

  178.         InvalidKeyException, NoSuchProviderException,

  179.         SignatureException;

  180. 

  181.     /**

  182.      * Verifies that this CRL was signed using the 

  183.      * private key that corresponds to the given public key.

  184.      * This method uses the signature verification engine

  185.      * supplied by the given provider.

  186.      *

  187.      * @param key the PublicKey used to carry out the verification.

  188.      * @param sigProvider the name of the signature provider.

  189.      * 

  190.      * @exception NoSuchAlgorithmException on unsupported signature

  191.      * algorithms.

  192.      * @exception InvalidKeyException on incorrect key.

  193.      * @exception NoSuchProviderException on incorrect provider.

  194.      * @exception SignatureException on signature errors.

  195.      * @exception CRLException on encoding errors.

  196.      */  

  197.     public abstract void verify(PublicKey key, String sigProvider)

  198.         throws CRLException, NoSuchAlgorithmException,

  199.         InvalidKeyException, NoSuchProviderException,

  200.         SignatureException;

  201. 

  202.     /**

  203.      * Gets the <code>version</code> (version number) value from the CRL.

  204.      * The ASN.1 definition for this is:

  205.      * <pre>

  206.      * version    Version OPTIONAL,

  207.      *             -- if present, must be v2<p>

  208.      * Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }

  209.      *             -- v3 does not apply to CRLs but appears for consistency

  210.      *             -- with definition of Version for certs

  211.      * </pre>

  212.      *

  213.      * @return the version number, i.e. 1 or 2.

  214.      */

  215.     public abstract int getVersion();

  216. 

  217.     /**

  218.      * Gets the <code>issuer</code> (issuer distinguished name) value from 

  219.      * the CRL. The issuer name identifies the entity that signed (and

  220.      * issued) the CRL. 

  221.      * 

  222.      * <p>The issuer name field contains an

  223.      * X.500 distinguished name (DN).

  224.      * The ASN.1 definition for this is:

  225.      * <pre>

  226.      * issuer    Name

  227.      *

  228.      * Name ::= CHOICE { RDNSequence }

  229.      * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName

  230.      * RelativeDistinguishedName ::=

  231.      *     SET OF AttributeValueAssertion

  232.      *

  233.      * AttributeValueAssertion ::= SEQUENCE {

  234.      *                               AttributeType,

  235.      *                               AttributeValue }

  236.      * AttributeType ::= OBJECT IDENTIFIER

  237.      * AttributeValue ::= ANY

  238.      * </pre>

  239.      * The <code>Name</code> describes a hierarchical name composed of

  240.      * attributes,

  241.      * such as country name, and corresponding values, such as US.

  242.      * The type of the <code>AttributeValue</code> component is determined by

  243.      * the <code>AttributeType</code> in general it will be a 

  244.      * <code>directoryString</code>. A <code>directoryString</code> is usually 

  245.      * one of <code>PrintableString</code>,

  246.      * <code>TeletexString</code> or <code>UniversalString</code>.

  247.      * 

  248.      * @return a Principal whose name is the issuer distinguished name.

  249.      */

  250.     public abstract Principal getIssuerDN();

  251. 

  252.     /**

  253.      * Gets the <code>thisUpdate</code> date from the CRL.

  254.      * The ASN.1 definition for this is:

  255.      * <pre>

  256.      * thisUpdate   ChoiceOfTime

  257.      * ChoiceOfTime ::= CHOICE {

  258.      *     utcTime        UTCTime,

  259.      *     generalTime    GeneralizedTime }

  260.      * </pre>

  261.      *

  262.      * @return the <code>thisUpdate</code> date from the CRL.

  263.      */

  264.     public abstract Date getThisUpdate();

  265. 

  266.     /**

  267.      * Gets the <code>nextUpdate</code> date from the CRL.

  268.      *

  269.      * @return the <code>nextUpdate</code> date from the CRL, or null if

  270.      * not present.

  271.      */

  272.     public abstract Date getNextUpdate();

  273. 

  274.     /**

  275.      * Gets the CRL entry, if any, with the given certificate serialNumber.

  276.      *

  277.      * @param serialNumber the serial number of the certificate for which a CRL entry

  278.      * is to be looked up

  279.      * @return the entry with the given serial number, or null if no such entry

  280.      * exists in this CRL.

  281.      * @see X509CRLEntry

  282.      */

  283.     public abstract X509CRLEntry

  284.         getRevokedCertificate(BigInteger serialNumber);

  285.   

  286.     /**

  287.      * Gets all the entries from this CRL.

  288.      * This returns a Set of X509CRLEntry objects.

  289.      *

  290.      * @return all the entries or null if there are none present.

  291.      * @see X509CRLEntry

  292.      */

  293.     public abstract Set getRevokedCertificates();

  294.   

  295.     /**

  296.      * Gets the DER-encoded CRL information, the

  297.      * <code>tbsCertList</code> from this CRL.

  298.      * This can be used to verify the signature independently.

  299.      *

  300.      * @return the DER-encoded CRL information.

  301.      * @exception CRLException if an encoding error occurs.

  302.      */

  303.     public abstract byte[] getTBSCertList() throws CRLException;

  304. 

  305.     /**

  306.      * Gets the <code>signature</code> value (the raw signature bits) from 

  307.      * the CRL.

  308.      * The ASN.1 definition for this is:

  309.      * <pre>

  310.      * signature     BIT STRING  

  311.      * </pre>

  312.      *

  313.      * @return the signature.

  314.      */

  315.     public abstract byte[] getSignature();

  316. 

  317.     /**

  318.      * Gets the signature algorithm name for the CRL

  319.      * signature algorithm. An example is the string "SHA-1/DSA".

  320.      * The ASN.1 definition for this is:

  321.      * <pre>

  322.      * signatureAlgorithm   AlgorithmIdentifier<p>

  323.      * AlgorithmIdentifier  ::=  SEQUENCE  {

  324.      *     algorithm               OBJECT IDENTIFIER,

  325.      *     parameters              ANY DEFINED BY algorithm OPTIONAL  }

  326.      *                             -- contains a value of the type

  327.      *                             -- registered for use with the

  328.      *                             -- algorithm object identifier value

  329.      * </pre>

  330.      * 

  331.      * <p>The algorithm name is determined from the <code>algorithm</code>

  332.      * OID string.

  333.      *

  334.      * @return the signature algorithm name.

  335.      */

  336.     public abstract String getSigAlgName();

  337. 

  338.     /**

  339.      * Gets the signature algorithm OID string from the CRL.

  340.      * An OID is represented by a set of positive whole numbers separated

  341.      * by periods.

  342.      * For example, the string "1.2.840.10040.4.3" identifies the SHA-1

  343.      * with DSA signature algorithm, as per RFC 2459.

  344.      * 

  345.      * <p>See {@link getSigAlgName()#getSigAlgName} for 

  346.      * relevant ASN.1 definitions.

  347.      *

  348.      * @return the signature algorithm OID string.

  349.      */

  350.     public abstract String getSigAlgOID();

  351. 

  352.     /**

  353.      * Gets the DER-encoded signature algorithm parameters from this

  354.      * CRL's signature algorithm. In most cases, the signature

  355.      * algorithm parameters are null; the parameters are usually

  356.      * supplied with the public key.

  357.      * If access to individual parameter values is needed then use

  358.      * {@link java.security.AlgorithmParameters AlgorithmParameters}

  359.      * and instantiate with the name returned by

  360.      * {@link getSigAlgName()#getSigAlgName}.

  361.      * 

  362.      * <p>See {@link getSigAlgName()#getSigAlgName} for 

  363.      * relevant ASN.1 definitions.

  364.      *

  365.      * @return the DER-encoded signature algorithm parameters, or

  366.      *         null if no parameters are present.

  367.      */

  368.     public abstract byte[] getSigAlgParams();

  369. }