1. /*

  2.  * @(#)X509CRL.java	1.25 03/01/23

  3.  *

  4.  * Copyright 2003 Sun Microsystems, Inc. All rights reserved.

  5.  * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.

  6.  */

  7.  

  8. package java.security.cert;

  9. 

  10. import java.security.NoSuchAlgorithmException;

  11. import java.security.NoSuchProviderException;

  12. import java.security.InvalidKeyException;

  13. import java.security.SignatureException;

  14. import java.security.Principal;

  15. import java.security.PublicKey;

  16. import javax.security.auth.x500.X500Principal;

  17. 

  18. import java.math.BigInteger;

  19. import java.util.Date;

  20. import java.util.Set;

  21. import java.util.Arrays;

  22. 

  23. import sun.security.x509.X509CRLImpl;

  24. 

  25. /**

  26.  * <p>

  27.  * Abstract class for an X.509 Certificate Revocation List (CRL).

  28.  * A CRL is a time-stamped list identifying revoked certificates.

  29.  * It is signed by a Certificate Authority (CA) and made freely

  30.  * available in a public repository.  

  31.  * 

  32.  * <p>Each revoked certificate is

  33.  * identified in a CRL by its certificate serial number. When a

  34.  * certificate-using system uses a certificate (e.g., for verifying a

  35.  * remote user's digital signature), that system not only checks the

  36.  * certificate signature and validity but also acquires a suitably-

  37.  * recent CRL and checks that the certificate serial number is not on

  38.  * that CRL.  The meaning of "suitably-recent" may vary with local

  39.  * policy, but it usually means the most recently-issued CRL.  A CA

  40.  * issues a new CRL on a regular periodic basis (e.g., hourly, daily, or

  41.  * weekly).  Entries are added to CRLs as revocations occur, and an

  42.  * entry may be removed when the certificate expiration date is reached.

  43.  * <p>

  44.  * The X.509 v2 CRL format is described below in ASN.1:

  45.  * <pre>

  46.  * CertificateList  ::=  SEQUENCE  {

  47.  *     tbsCertList          TBSCertList,

  48.  *     signatureAlgorithm   AlgorithmIdentifier,

  49.  *     signature            BIT STRING  }

  50.  * </pre>

  51.  * <p>

  52.  * More information can be found in RFC 2459,

  53.  * "Internet X.509 Public Key Infrastructure Certificate and CRL

  54.  * Profile" at <A HREF="http://www.ietf.org/rfc/rfc2459.txt">

  55.  * http://www.ietf.org/rfc/rfc2459.txt </A>.    

  56.  * <p>

  57.  * The ASN.1 definition of <code>tbsCertList</code> is:

  58.  * <pre>

  59.  * TBSCertList  ::=  SEQUENCE  {

  60.  *     version                 Version OPTIONAL,

  61.  *                             -- if present, must be v2

  62.  *     signature               AlgorithmIdentifier,

  63.  *     issuer                  Name,

  64.  *     thisUpdate              ChoiceOfTime,

  65.  *     nextUpdate              ChoiceOfTime OPTIONAL,

  66.  *     revokedCertificates     SEQUENCE OF SEQUENCE  {

  67.  *         userCertificate         CertificateSerialNumber,

  68.  *         revocationDate          ChoiceOfTime,

  69.  *         crlEntryExtensions      Extensions OPTIONAL

  70.  *                                 -- if present, must be v2

  71.  *         }  OPTIONAL,

  72.  *     crlExtensions           [0]  EXPLICIT Extensions OPTIONAL

  73.  *                                  -- if present, must be v2

  74.  *     }

  75.  * </pre>

  76.  * <p>

  77.  * CRLs are instantiated using a certificate factory. The following is an

  78.  * example of how to instantiate an X.509 CRL:

  79.  * <pre><code> 

  80.  * InputStream inStream = new FileInputStream("fileName-of-crl");

  81.  * CertificateFactory cf = CertificateFactory.getInstance("X.509");

  82.  * X509CRL crl = (X509CRL)cf.generateCRL(inStream);

  83.  * inStream.close();

  84.  * </code></pre>

  85.  *

  86.  * @author Hemma Prafullchandra

  87.  *

  88.  * @version 1.25, 01/23/03

  89.  *

  90.  * @see CRL

  91.  * @see CertificateFactory

  92.  * @see X509Extension

  93.  */

  94. 

  95. public abstract class X509CRL extends CRL implements X509Extension {

  96. 

  97.     private transient X500Principal issuerPrincipal;

  98. 

  99.     /**

  100.      * Constructor for X.509 CRLs.

  101.      */

  102.     protected X509CRL() {

  103. 	super("X.509");

  104.     }

  105. 

  106.     /**

  107.      * Compares this CRL for equality with the given 

  108.      * object. If the <code>other</code> object is an 

  109.      * <code>instanceof</code> <code>X509CRL</code>, then

  110.      * its encoded form is retrieved and compared with the

  111.      * encoded form of this CRL.

  112.      * 

  113.      * @param other the object to test for equality with this CRL.

  114.      * 

  115.      * @return true iff the encoded forms of the two CRLs

  116.      * match, false otherwise.

  117.      */  

  118.     public boolean equals(Object other) {

  119.         if (this == other) {

  120.             return true;

  121. 	}

  122.         if (!(other instanceof X509CRL)) {

  123.             return false;

  124. 	}

  125.         try {

  126.             byte[] thisCRL = X509CRLImpl.getEncodedInternal(this);

  127.             byte[] otherCRL = X509CRLImpl.getEncodedInternal((X509CRL)other);

  128. 	    

  129. 	    return Arrays.equals(thisCRL, otherCRL);

  130.         } catch (CRLException e) {

  131. 	    return false;

  132.         }

  133.     }

  134. 

  135.     /**

  136.      * Returns a hashcode value for this CRL from its

  137.      * encoded form.

  138.      *

  139.      * @return the hashcode value.

  140.      */  

  141.     public int hashCode() {

  142.         int retval = 0;

  143.         try {

  144.             byte[] crlData = X509CRLImpl.getEncodedInternal(this);

  145.             for (int i = 1; i < crlData.length; i++) {

  146.                  retval += crlData[i] * i;

  147.             }

  148.             return retval;

  149.         } catch (CRLException e) {

  150.             return retval;

  151.         }

  152.     }

  153. 

  154.     /**

  155.      * Returns the ASN.1 DER-encoded form of this CRL.

  156.      *

  157.      * @return the encoded form of this certificate

  158.      * @exception CRLException if an encoding error occurs.

  159.      */

  160.     public abstract byte[] getEncoded()

  161.         throws CRLException;

  162. 

  163.     /**

  164.      * Verifies that this CRL was signed using the 

  165.      * private key that corresponds to the given public key.

  166.      *

  167.      * @param key the PublicKey used to carry out the verification.

  168.      *

  169.      * @exception NoSuchAlgorithmException on unsupported signature

  170.      * algorithms.

  171.      * @exception InvalidKeyException on incorrect key.

  172.      * @exception NoSuchProviderException if there's no default provider.

  173.      * @exception SignatureException on signature errors.

  174.      * @exception CRLException on encoding errors.

  175.      */  

  176.     public abstract void verify(PublicKey key)

  177.         throws CRLException,  NoSuchAlgorithmException,

  178.         InvalidKeyException, NoSuchProviderException,

  179.         SignatureException;

  180. 

  181.     /**

  182.      * Verifies that this CRL was signed using the 

  183.      * private key that corresponds to the given public key.

  184.      * This method uses the signature verification engine

  185.      * supplied by the given provider.

  186.      *

  187.      * @param key the PublicKey used to carry out the verification.

  188.      * @param sigProvider the name of the signature provider.

  189.      * 

  190.      * @exception NoSuchAlgorithmException on unsupported signature

  191.      * algorithms.

  192.      * @exception InvalidKeyException on incorrect key.

  193.      * @exception NoSuchProviderException on incorrect provider.

  194.      * @exception SignatureException on signature errors.

  195.      * @exception CRLException on encoding errors.

  196.      */  

  197.     public abstract void verify(PublicKey key, String sigProvider)

  198.         throws CRLException, NoSuchAlgorithmException,

  199.         InvalidKeyException, NoSuchProviderException,

  200.         SignatureException;

  201. 

  202.     /**

  203.      * Gets the <code>version</code> (version number) value from the CRL.

  204.      * The ASN.1 definition for this is:

  205.      * <pre>

  206.      * version    Version OPTIONAL,

  207.      *             -- if present, must be v2<p>

  208.      * Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }

  209.      *             -- v3 does not apply to CRLs but appears for consistency

  210.      *             -- with definition of Version for certs

  211.      * </pre>

  212.      *

  213.      * @return the version number, i.e. 1 or 2.

  214.      */

  215.     public abstract int getVersion();

  216. 

  217.     /**

  218.      * Gets the <code>issuer</code> (issuer distinguished name) value from 

  219.      * the CRL. The issuer name identifies the entity that signed (and

  220.      * issued) the CRL. 

  221.      * 

  222.      * <p>The issuer name field contains an

  223.      * X.500 distinguished name (DN).

  224.      * The ASN.1 definition for this is:

  225.      * <pre>

  226.      * issuer    Name

  227.      *

  228.      * Name ::= CHOICE { RDNSequence }

  229.      * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName

  230.      * RelativeDistinguishedName ::=

  231.      *     SET OF AttributeValueAssertion

  232.      *

  233.      * AttributeValueAssertion ::= SEQUENCE {

  234.      *                               AttributeType,

  235.      *                               AttributeValue }

  236.      * AttributeType ::= OBJECT IDENTIFIER

  237.      * AttributeValue ::= ANY

  238.      * </pre>

  239.      * The <code>Name</code> describes a hierarchical name composed of

  240.      * attributes,

  241.      * such as country name, and corresponding values, such as US.

  242.      * The type of the <code>AttributeValue</code> component is determined by

  243.      * the <code>AttributeType</code> in general it will be a 

  244.      * <code>directoryString</code>. A <code>directoryString</code> is usually 

  245.      * one of <code>PrintableString</code>,

  246.      * <code>TeletexString</code> or <code>UniversalString</code>.

  247.      * 

  248.      * @return a Principal whose name is the issuer distinguished name.

  249.      */

  250.     public abstract Principal getIssuerDN();

  251. 

  252.     /**

  253.      * Returns the issuer (issuer distinguished name) value from the

  254.      * CRL as an <code>X500Principal</code>.

  255.      * <p>

  256.      * It is recommended that subclasses override this method to provide 

  257.      * an efficient implementation.

  258.      *

  259.      * @return an <code>X500Principal</code> representing the issuer

  260.      *		distinguished name

  261.      * @since 1.4

  262.      */

  263.     public X500Principal getIssuerX500Principal() {

  264. 	if (issuerPrincipal == null) {

  265. 	    issuerPrincipal = X509CRLImpl.getIssuerX500Principal(this);

  266. 	}

  267. 	return issuerPrincipal;

  268.     }

  269. 

  270.     /**

  271.      * Gets the <code>thisUpdate</code> date from the CRL.

  272.      * The ASN.1 definition for this is:

  273.      * <pre>

  274.      * thisUpdate   ChoiceOfTime

  275.      * ChoiceOfTime ::= CHOICE {

  276.      *     utcTime        UTCTime,

  277.      *     generalTime    GeneralizedTime }

  278.      * </pre>

  279.      *

  280.      * @return the <code>thisUpdate</code> date from the CRL.

  281.      */

  282.     public abstract Date getThisUpdate();

  283. 

  284.     /**

  285.      * Gets the <code>nextUpdate</code> date from the CRL.

  286.      *

  287.      * @return the <code>nextUpdate</code> date from the CRL, or null if

  288.      * not present.

  289.      */

  290.     public abstract Date getNextUpdate();

  291. 

  292.     /**

  293.      * Gets the CRL entry, if any, with the given certificate serialNumber.

  294.      *

  295.      * @param serialNumber the serial number of the certificate for which a CRL entry

  296.      * is to be looked up

  297.      * @return the entry with the given serial number, or null if no such entry

  298.      * exists in this CRL.

  299.      * @see X509CRLEntry

  300.      */

  301.     public abstract X509CRLEntry

  302.         getRevokedCertificate(BigInteger serialNumber);

  303.   

  304.     /**

  305.      * Gets all the entries from this CRL.

  306.      * This returns a Set of X509CRLEntry objects.

  307.      *

  308.      * @return all the entries or null if there are none present.

  309.      * @see X509CRLEntry

  310.      */

  311.     public abstract Set getRevokedCertificates();

  312.   

  313.     /**

  314.      * Gets the DER-encoded CRL information, the

  315.      * <code>tbsCertList</code> from this CRL.

  316.      * This can be used to verify the signature independently.

  317.      *

  318.      * @return the DER-encoded CRL information.

  319.      * @exception CRLException if an encoding error occurs.

  320.      */

  321.     public abstract byte[] getTBSCertList() throws CRLException;

  322. 

  323.     /**

  324.      * Gets the <code>signature</code> value (the raw signature bits) from 

  325.      * the CRL.

  326.      * The ASN.1 definition for this is:

  327.      * <pre>

  328.      * signature     BIT STRING  

  329.      * </pre>

  330.      *

  331.      * @return the signature.

  332.      */

  333.     public abstract byte[] getSignature();

  334. 

  335.     /**

  336.      * Gets the signature algorithm name for the CRL

  337.      * signature algorithm. An example is the string "SHA-1/DSA".

  338.      * The ASN.1 definition for this is:

  339.      * <pre>

  340.      * signatureAlgorithm   AlgorithmIdentifier<p>

  341.      * AlgorithmIdentifier  ::=  SEQUENCE  {

  342.      *     algorithm               OBJECT IDENTIFIER,

  343.      *     parameters              ANY DEFINED BY algorithm OPTIONAL  }

  344.      *                             -- contains a value of the type

  345.      *                             -- registered for use with the

  346.      *                             -- algorithm object identifier value

  347.      * </pre>

  348.      * 

  349.      * <p>The algorithm name is determined from the <code>algorithm</code>

  350.      * OID string.

  351.      *

  352.      * @return the signature algorithm name.

  353.      */

  354.     public abstract String getSigAlgName();

  355. 

  356.     /**

  357.      * Gets the signature algorithm OID string from the CRL.

  358.      * An OID is represented by a set of nonnegative whole numbers separated

  359.      * by periods.

  360.      * For example, the string "1.2.840.10040.4.3" identifies the SHA-1

  361.      * with DSA signature algorithm, as per RFC 2459.

  362.      * 

  363.      * <p>See {@link getSigAlgName()#getSigAlgName} for 

  364.      * relevant ASN.1 definitions.

  365.      *

  366.      * @return the signature algorithm OID string.

  367.      */

  368.     public abstract String getSigAlgOID();

  369. 

  370.     /**

  371.      * Gets the DER-encoded signature algorithm parameters from this

  372.      * CRL's signature algorithm. In most cases, the signature

  373.      * algorithm parameters are null; the parameters are usually

  374.      * supplied with the public key.

  375.      * If access to individual parameter values is needed then use

  376.      * {@link java.security.AlgorithmParameters AlgorithmParameters}

  377.      * and instantiate with the name returned by

  378.      * {@link getSigAlgName()#getSigAlgName}.

  379.      * 

  380.      * <p>See {@link getSigAlgName()#getSigAlgName} for 

  381.      * relevant ASN.1 definitions.

  382.      *

  383.      * @return the DER-encoded signature algorithm parameters, or

  384.      *         null if no parameters are present.

  385.      */

  386.     public abstract byte[] getSigAlgParams();

  387. }