1. /*

  2.  * @(#)X509CRLSelector.java	1.16 04/07/16

  3.  *

  4.  * Copyright 2004 Sun Microsystems, Inc. All rights reserved.

  5.  * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.

  6.  */

  7. 

  8. package java.security.cert;

  9. 

  10. import java.io.IOException;

  11. import java.math.BigInteger;

  12. import java.util.*;

  13. 

  14. import javax.security.auth.x500.X500Principal;

  15. 

  16. import sun.security.util.Debug;

  17. import sun.security.util.DerInputStream;

  18. import sun.security.x509.CRLNumberExtension;

  19. import sun.security.x509.X500Name;

  20. 

  21. /**

  22.  * A <code>CRLSelector</code> that selects <code>X509CRLs</code> that

  23.  * match all specified criteria. This class is particularly useful when

  24.  * selecting CRLs from a <code>CertStore</code> to check revocation status

  25.  * of a particular certificate.

  26.  * <p>

  27.  * When first constructed, an <code>X509CRLSelector</code> has no criteria

  28.  * enabled and each of the <code>get</code> methods return a default

  29.  * value (<code>null</code>). Therefore, the {@link #match match} method 

  30.  * would return <code>true</code> for any <code>X509CRL</code>. Typically, 

  31.  * several criteria are enabled (by calling {@link #setIssuers setIssuers} 

  32.  * or {@link #setDateAndTime setDateAndTime}, for instance) and then the

  33.  * <code>X509CRLSelector</code> is passed to

  34.  * {@link CertStore#getCRLs CertStore.getCRLs} or some similar

  35.  * method.

  36.  * <p>

  37.  * Please refer to RFC 2459 for definitions of the X.509 CRL fields and

  38.  * extensions mentioned below.

  39.  * <p>

  40.  * <b>Concurrent Access</b>

  41.  * <p>

  42.  * Unless otherwise specified, the methods defined in this class are not

  43.  * thread-safe. Multiple threads that need to access a single

  44.  * object concurrently should synchronize amongst themselves and

  45.  * provide the necessary locking. Multiple threads each manipulating

  46.  * separate objects need not synchronize.

  47.  *

  48.  * @see CRLSelector

  49.  * @see X509CRL

  50.  *

  51.  * @version 	1.16 07/16/04

  52.  * @since	1.4

  53.  * @author	Steve Hanna

  54.  */

  55. public class X509CRLSelector implements CRLSelector {

  56. 

  57.     static {

  58. 	CertPathHelperImpl.initialize();

  59.     }

  60. 

  61.     private static final Debug debug = Debug.getInstance("certpath");

  62.     private HashSet<Object> issuerNames;

  63.     private HashSet<X500Principal> issuerX500Principals;

  64.     private BigInteger minCRL;

  65.     private BigInteger maxCRL;

  66.     private Date dateAndTime;

  67.     private X509Certificate certChecking;

  68. 

  69.     /**

  70.      * Creates an <code>X509CRLSelector</code>. Initially, no criteria are set

  71.      * so any <code>X509CRL</code> will match.

  72.      */

  73.     public X509CRLSelector() {}

  74. 

  75.     /**

  76.      * Sets the issuerNames criterion. The issuer distinguished name in the

  77.      * <code>X509CRL</code> must match at least one of the specified

  78.      * distinguished names. If <code>null</code>, any issuer distinguished name

  79.      * will do.

  80.      * <p>

  81.      * This method allows the caller to specify, with a single method call,

  82.      * the complete set of issuer names which <code>X509CRLs</code> may contain.

  83.      * The specified value replaces the previous value for the issuerNames

  84.      * criterion.

  85.      * <p>

  86.      * The <code>names</code> parameter (if not <code>null</code>) is a

  87.      * <code>Collection</code> of <code>X500Principal</code>s.

  88.      * <p>

  89.      * Note that the <code>names</code> parameter can contain duplicate

  90.      * distinguished names, but they may be removed from the 

  91.      * <code>Collection</code> of names returned by the

  92.      * {@link #getIssuers getIssuers} method.

  93.      * <p>

  94.      * Note that a copy is performed on the <code>Collection</code> to

  95.      * protect against subsequent modifications.

  96.      *

  97.      * @param issuers a <code>Collection</code> of X500Principals 

  98.      *   (or <code>null</code>)

  99.      * @see #getIssuers

  100.      * @since 1.5

  101.      */

  102.     public void setIssuers(Collection<X500Principal> issuers) {

  103.         if ((issuers == null) || issuers.isEmpty()) {

  104.             issuerNames = null;

  105.             issuerX500Principals = null;

  106.         } else {

  107. 	    // clone

  108. 	    issuerX500Principals = new HashSet(issuers);

  109. 	    issuerNames = new HashSet<Object>();

  110. 	    for (X500Principal p : issuerX500Principals) {

  111. 		issuerNames.add(p.getEncoded());

  112. 	    }

  113.         }

  114.     }

  115. 

  116.     /**

  117.      * <strong>Note:</strong> use {@linkplain #setIssuers(Collection)} instead

  118.      * or only specify the byte array form of distinguished names when using

  119.      * this method. See {@link #addIssuerName(String)} for more information.

  120.      * <p>

  121.      * Sets the issuerNames criterion. The issuer distinguished name in the

  122.      * <code>X509CRL</code> must match at least one of the specified

  123.      * distinguished names. If <code>null</code>, any issuer distinguished name

  124.      * will do.

  125.      * <p>

  126.      * This method allows the caller to specify, with a single method call,

  127.      * the complete set of issuer names which <code>X509CRLs</code> may contain.

  128.      * The specified value replaces the previous value for the issuerNames

  129.      * criterion.

  130.      * <p>

  131.      * The <code>names</code> parameter (if not <code>null</code>) is a

  132.      * <code>Collection</code> of names. Each name is a <code>String</code>

  133.      * or a byte array representing a distinguished name (in RFC 2253 or

  134.      * ASN.1 DER encoded form, respectively). If <code>null</code> is supplied

  135.      * as the value for this argument, no issuerNames check will be performed.

  136.      * <p>

  137.      * Note that the <code>names</code> parameter can contain duplicate

  138.      * distinguished names, but they may be removed from the 

  139.      * <code>Collection</code> of names returned by the

  140.      * {@link #getIssuerNames getIssuerNames} method.

  141.      * <p>

  142.      * If a name is specified as a byte array, it should contain a single DER

  143.      * encoded distinguished name, as defined in X.501. The ASN.1 notation for

  144.      * this structure is as follows.

  145.      * <pre><code>

  146.      * Name ::= CHOICE {

  147.      *   RDNSequence }

  148.      *

  149.      * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName

  150.      *

  151.      * RelativeDistinguishedName ::=

  152.      *   SET SIZE (1 .. MAX) OF AttributeTypeAndValue

  153.      *

  154.      * AttributeTypeAndValue ::= SEQUENCE {

  155.      *   type     AttributeType,

  156.      *   value    AttributeValue }

  157.      *

  158.      * AttributeType ::= OBJECT IDENTIFIER

  159.      *

  160.      * AttributeValue ::= ANY DEFINED BY AttributeType

  161.      * ....

  162.      * DirectoryString ::= CHOICE {

  163.      *       teletexString           TeletexString (SIZE (1..MAX)),

  164.      *       printableString         PrintableString (SIZE (1..MAX)),

  165.      *       universalString         UniversalString (SIZE (1..MAX)),

  166.      *       utf8String              UTF8String (SIZE (1.. MAX)),

  167.      *       bmpString               BMPString (SIZE (1..MAX)) }

  168.      * </code></pre>

  169.      * <p>

  170.      * Note that a deep copy is performed on the <code>Collection</code> to

  171.      * protect against subsequent modifications.

  172.      *

  173.      * @param names a <code>Collection</code> of names (or <code>null</code>)

  174.      * @throws IOException if a parsing error occurs

  175.      * @see #getIssuerNames

  176.      */

  177.     public void setIssuerNames(Collection<?> names) throws IOException {

  178.         if (names == null || names.size() == 0) {

  179.             issuerNames = null;

  180.             issuerX500Principals = null;

  181.         } else {

  182.             HashSet<Object> tempNames = cloneAndCheckIssuerNames(names);

  183.             // Ensure that we either set both of these or neither

  184.             issuerX500Principals = parseIssuerNames(tempNames);

  185.             issuerNames = tempNames;

  186.         }

  187.     }

  188. 

  189.     /**

  190.      * Adds a name to the issuerNames criterion. The issuer distinguished

  191.      * name in the <code>X509CRL</code> must match at least one of the specified

  192.      * distinguished names.

  193.      * <p>

  194.      * This method allows the caller to add a name to the set of issuer names

  195.      * which <code>X509CRLs</code> may contain. The specified name is added to

  196.      * any previous value for the issuerNames criterion.

  197.      * If the specified name is a duplicate, it may be ignored.

  198.      *

  199.      * @param issuer the issuer as X500Principal

  200.      * @since 1.5

  201.      */

  202.     public void addIssuer(X500Principal issuer) {

  203. 	addIssuerNameInternal(issuer.getEncoded(), issuer);

  204.     }

  205. 

  206.     /**

  207.      * <strong>Denigrated</strong>, use 

  208.      * {@linkplain #addIssuer(X500Principal)} or 

  209.      * {@linkplain #addIssuerName(byte[])} instead. This method should not be 

  210.      * relied on as it can fail to match some CRLs because of a loss of 

  211.      * encoding information in the RFC 2253 String form of some distinguished 

  212.      * names.

  213.      * <p>

  214.      * Adds a name to the issuerNames criterion. The issuer distinguished

  215.      * name in the <code>X509CRL</code> must match at least one of the specified

  216.      * distinguished names.

  217.      * <p>

  218.      * This method allows the caller to add a name to the set of issuer names

  219.      * which <code>X509CRLs</code> may contain. The specified name is added to

  220.      * any previous value for the issuerNames criterion.

  221.      * If the specified name is a duplicate, it may be ignored.

  222.      *

  223.      * @param name the name in RFC 2253 form

  224.      * @throws IOException if a parsing error occurs

  225.      */

  226.     public void addIssuerName(String name) throws IOException {

  227.         addIssuerNameInternal(name, new X500Name(name).asX500Principal());

  228.     }

  229. 

  230.     /**

  231.      * Adds a name to the issuerNames criterion. The issuer distinguished

  232.      * name in the <code>X509CRL</code> must match at least one of the specified

  233.      * distinguished names.

  234.      * <p>

  235.      * This method allows the caller to add a name to the set of issuer names

  236.      * which <code>X509CRLs</code> may contain. The specified name is added to

  237.      * any previous value for the issuerNames criterion. If the specified name

  238.      * is a duplicate, it may be ignored.

  239.      * If a name is specified as a byte array, it should contain a single DER

  240.      * encoded distinguished name, as defined in X.501. The ASN.1 notation for

  241.      * this structure is as follows.

  242.      * <p>

  243.      * The name is provided as a byte array. This byte array should contain

  244.      * a single DER encoded distinguished name, as defined in X.501. The ASN.1

  245.      * notation for this structure appears in the documentation for

  246.      * {@link #setIssuerNames setIssuerNames(Collection names)}.

  247.      * <p>

  248.      * Note that the byte array supplied here is cloned to protect against

  249.      * subsequent modifications.

  250.      *

  251.      * @param name a byte array containing the name in ASN.1 DER encoded form

  252.      * @throws IOException if a parsing error occurs

  253.      */

  254.     public void addIssuerName(byte[] name) throws IOException {

  255.         // clone because byte arrays are modifiable

  256.         addIssuerNameInternal(name.clone(), new X500Name(name).asX500Principal());

  257.     }

  258.     

  259.     /**

  260.      * A private method that adds a name (String or byte array) to the

  261.      * issuerNames criterion. The issuer distinguished

  262.      * name in the <code>X509CRL</code> must match at least one of the specified

  263.      * distinguished names.

  264.      *

  265.      * @param name the name in string or byte array form

  266.      * @param principal the name in X500Principal form

  267.      * @throws IOException if a parsing error occurs

  268.      */

  269.     private void addIssuerNameInternal(Object name, X500Principal principal) {

  270.         if (issuerNames == null) {

  271.             issuerNames = new HashSet<Object>();

  272. 	}

  273.         if (issuerX500Principals == null) {

  274.             issuerX500Principals = new HashSet<X500Principal>();

  275. 	}

  276.         issuerNames.add(name);

  277.         issuerX500Principals.add(principal);

  278.     }

  279. 

  280.     /**

  281.      * Clone and check an argument of the form passed to

  282.      * setIssuerNames. Throw an IOException if the argument is malformed.

  283.      *

  284.      * @param names a <code>Collection</code> of names. Each entry is a

  285.      *              String or a byte array (the name, in string or ASN.1

  286.      *              DER encoded form, respectively). <code>null</code> is

  287.      *              not an acceptable value.

  288.      * @return a deep copy of the specified <code>Collection</code>

  289.      * @throws IOException if a parsing error occurs

  290.      */

  291.     private static HashSet<Object> cloneAndCheckIssuerNames(Collection<?> names)

  292.         throws IOException 

  293.     {

  294.         HashSet<Object> namesCopy = new HashSet<Object>();

  295.         Iterator i = names.iterator();

  296.         while (i.hasNext()) {

  297.             Object nameObject = i.next();

  298.             if (!(nameObject instanceof byte []) &&

  299. 	        !(nameObject instanceof String))

  300. 	        throw new IOException("name not byte array or String");

  301.             if (nameObject instanceof byte [])

  302. 	        namesCopy.add(((byte []) nameObject).clone());

  303.             else

  304. 	        namesCopy.add(nameObject);

  305.         }

  306.         return(namesCopy);

  307.     }

  308. 

  309.     /**

  310.      * Clone an argument of the form passed to setIssuerNames.

  311.      * Throw a RuntimeException if the argument is malformed.

  312.      * <p>

  313.      * This method wraps cloneAndCheckIssuerNames, changing any IOException 

  314.      * into a RuntimeException. This method should be used when the object being

  315.      * cloned has already been checked, so there should never be any exceptions.

  316.      *

  317.      * @param names a <code>Collection</code> of names. Each entry is a

  318.      *              String or a byte array (the name, in string or ASN.1

  319.      *              DER encoded form, respectively). <code>null</code> is

  320.      *              not an acceptable value.

  321.      * @return a deep copy of the specified <code>Collection</code>

  322.      * @throws RuntimeException if a parsing error occurs

  323.      */

  324.     private static HashSet<Object> cloneIssuerNames(Collection<Object> names) {

  325.         try {

  326.             return cloneAndCheckIssuerNames(names);

  327.         } catch (IOException ioe) {

  328. 	    throw new RuntimeException(ioe);

  329.         }

  330.     }

  331. 

  332.     /**

  333.      * Parse an argument of the form passed to setIssuerNames,

  334.      * returning a Collection of issuerX500Principals.

  335.      * Throw an IOException if the argument is malformed.

  336.      *

  337.      * @param names a <code>Collection</code> of names. Each entry is a

  338.      *              String or a byte array (the name, in string or ASN.1

  339.      *              DER encoded form, respectively). <Code>Null</Code> is

  340.      *              not an acceptable value.

  341.      * @return a HashSet of issuerX500Principals

  342.      * @throws IOException if a parsing error occurs

  343.      */

  344.     private static HashSet<X500Principal> parseIssuerNames(Collection<Object> names) 

  345.     throws IOException {

  346.         HashSet<X500Principal> x500Principals = new HashSet<X500Principal>();

  347. 	for (Iterator t = names.iterator(); t.hasNext(); ) {

  348. 	    Object nameObject = t.next();

  349. 	    if (nameObject instanceof String) {

  350. 		x500Principals.add(new X500Name((String)nameObject).asX500Principal());

  351. 	    } else {

  352. 		try {

  353. 		    x500Principals.add(new X500Principal((byte[])nameObject));

  354. 		} catch (IllegalArgumentException e) {

  355. 		    throw (IOException)new IOException("Invalid name").initCause(e);

  356. 		}

  357. 	    }

  358. 	}

  359.         return x500Principals;

  360.     }

  361. 

  362.     /**

  363.      * Sets the minCRLNumber criterion. The <code>X509CRL</code> must have a

  364.      * CRL number extension whose value is greater than or equal to the

  365.      * specified value. If <code>null</code>, no minCRLNumber check will be 

  366.      * done.

  367.      *

  368.      * @param minCRL the minimum CRL number accepted (or <code>null</code>)

  369.      */

  370.     public void setMinCRLNumber(BigInteger minCRL) {

  371.         this.minCRL = minCRL;

  372.     }

  373. 

  374.     /**

  375.      * Sets the maxCRLNumber criterion. The <code>X509CRL</code> must have a

  376.      * CRL number extension whose value is less than or equal to the

  377.      * specified value. If <code>null</code>, no maxCRLNumber check will be 

  378.      * done.

  379.      *

  380.      * @param maxCRL the maximum CRL number accepted (or <code>null</code>)

  381.      */

  382.     public void setMaxCRLNumber(BigInteger maxCRL) {

  383.         this.maxCRL = maxCRL;

  384.     }

  385. 

  386.     /**

  387.      * Sets the dateAndTime criterion. The specified date must be

  388.      * equal to or later than the value of the thisUpdate component

  389.      * of the <code>X509CRL</code> and earlier than the value of the

  390.      * nextUpdate component. There is no match if the <code>X509CRL</code>

  391.      * does not contain a nextUpdate component.

  392.      * If <code>null</code>, no dateAndTime check will be done.

  393.      * <p>

  394.      * Note that the <code>Date</code> supplied here is cloned to protect 

  395.      * against subsequent modifications.

  396.      *

  397.      * @param dateAndTime the <code>Date</code> to match against

  398.      *                    (or <code>null</code>)

  399.      * @see #getDateAndTime

  400.      */

  401.     public void setDateAndTime(Date dateAndTime) {

  402.         if (dateAndTime == null)

  403.             this.dateAndTime = null;

  404.         else

  405.             this.dateAndTime = (Date) dateAndTime.clone();

  406.     }

  407. 

  408.     /**

  409.      * Sets the certificate being checked. This is not a criterion. Rather,

  410.      * it is optional information that may help a <code>CertStore</code>

  411.      * find CRLs that would be relevant when checking revocation for the

  412.      * specified certificate. If <code>null</code> is specified, then no

  413.      * such optional information is provided.

  414.      *

  415.      * @param cert the <code>X509Certificate</code> being checked

  416.      *             (or <code>null</code>)

  417.      * @see #getCertificateChecking

  418.      */

  419.     public void setCertificateChecking(X509Certificate cert) {

  420.         certChecking = cert;

  421.     }

  422. 

  423.     /**

  424.      * Returns the issuerNames criterion. The issuer distinguished

  425.      * name in the <code>X509CRL</code> must match at least one of the specified

  426.      * distinguished names. If the value returned is <code>null</code>, any

  427.      * issuer distinguished name will do.

  428.      * <p>

  429.      * If the value returned is not <code>null</code>, it is a

  430.      * unmodifiable <code>Collection</code> of <code>X500Principal</code>s.

  431.      *

  432.      * @return an unmodifiable <code>Collection</code> of names 

  433.      *   (or <code>null</code>)

  434.      * @see #setIssuers

  435.      * @since 1.5

  436.      */

  437.     public Collection<X500Principal> getIssuers() {

  438. 	if (issuerX500Principals == null) {

  439. 	    return null;

  440. 	}

  441. 	return Collections.unmodifiableCollection(issuerX500Principals);

  442.     }

  443. 

  444.     /**

  445.      * Returns a copy of the issuerNames criterion. The issuer distinguished

  446.      * name in the <code>X509CRL</code> must match at least one of the specified

  447.      * distinguished names. If the value returned is <code>null</code>, any

  448.      * issuer distinguished name will do.

  449.      * <p>

  450.      * If the value returned is not <code>null</code>, it is a

  451.      * <code>Collection</code> of names. Each name is a <code>String</code>

  452.      * or a byte array representing a distinguished name (in RFC 2253 or

  453.      * ASN.1 DER encoded form, respectively).  Note that the 

  454.      * <code>Collection</code> returned may contain duplicate names.

  455.      * <p>

  456.      * If a name is specified as a byte array, it should contain a single DER

  457.      * encoded distinguished name, as defined in X.501. The ASN.1 notation for

  458.      * this structure is given in the documentation for

  459.      * {@link #setIssuerNames setIssuerNames(Collection names)}.

  460.      * <p>

  461.      * Note that a deep copy is performed on the <code>Collection</code> to

  462.      * protect against subsequent modifications.

  463.      *

  464.      * @return a <code>Collection</code> of names (or <code>null</code>)

  465.      * @see #setIssuerNames

  466.      */

  467.     public Collection<Object> getIssuerNames() {

  468.         if (issuerNames == null) {

  469.             return null;

  470. 	}

  471.         return cloneIssuerNames(issuerNames);

  472.     }

  473. 

  474.     /**

  475.      * Returns the minCRLNumber criterion. The <code>X509CRL</code> must have a

  476.      * CRL number extension whose value is greater than or equal to the

  477.      * specified value. If <code>null</code>, no minCRLNumber check will be done.

  478.      *

  479.      * @return the minimum CRL number accepted (or <code>null</code>)

  480.      */

  481.     public BigInteger getMinCRL() {

  482.         return minCRL;

  483.     }

  484. 

  485.     /**

  486.      * Returns the maxCRLNumber criterion. The <code>X509CRL</code> must have a

  487.      * CRL number extension whose value is less than or equal to the

  488.      * specified value. If <code>null</code>, no maxCRLNumber check will be 

  489.      * done.

  490.      *

  491.      * @return the maximum CRL number accepted (or <code>null</code>)

  492.      */

  493.     public BigInteger getMaxCRL() {

  494.         return maxCRL;

  495.     }

  496. 

  497.     /**

  498.      * Returns the dateAndTime criterion. The specified date must be

  499.      * equal to or later than the value of the thisUpdate component

  500.      * of the <code>X509CRL</code> and earlier than the value of the

  501.      * nextUpdate component. There is no match if the

  502.      * <code>X509CRL</code> does not contain a nextUpdate component.

  503.      * If <code>null</code>, no dateAndTime check will be done.

  504.      * <p>

  505.      * Note that the <code>Date</code> returned is cloned to protect against

  506.      * subsequent modifications.

  507.      *

  508.      * @return the <code>Date</code> to match against (or <code>null</code>)

  509.      * @see #setDateAndTime

  510.      */

  511.     public Date getDateAndTime() {

  512.         if (dateAndTime == null)

  513.             return null;

  514.         return (Date) dateAndTime.clone();

  515.     }

  516. 

  517.     /**

  518.      * Returns the certificate being checked. This is not a criterion. Rather,

  519.      * it is optional information that may help a <code>CertStore</code>

  520.      * find CRLs that would be relevant when checking revocation for the

  521.      * specified certificate. If the value returned is <code>null</code>, then 

  522.      * no such optional information is provided.

  523.      *

  524.      * @return the certificate being checked (or <code>null</code>)

  525.      * @see #setCertificateChecking

  526.      */

  527.     public X509Certificate getCertificateChecking() {

  528.         return certChecking;

  529.     }

  530. 

  531.     /**

  532.      * Returns a printable representation of the <code>X509CRLSelector</code>.

  533.      *

  534.      * @return a <code>String</code> describing the contents of the

  535.      *         <code>X509CRLSelector</code>.

  536.      */

  537.     public String toString() {

  538.         StringBuffer sb = new StringBuffer();

  539.         sb.append("X509CRLSelector: [\n");

  540.         if (issuerNames != null) {

  541.             sb.append("  IssuerNames:\n");

  542.             Iterator i = issuerNames.iterator();

  543.             while (i.hasNext())

  544. 	        sb.append("    " + i.next() + "\n");

  545.         }

  546.         if (minCRL != null)

  547.             sb.append("  minCRLNumber: " + minCRL + "\n");

  548.         if (maxCRL != null)

  549.             sb.append("  maxCRLNumber: " + maxCRL + "\n");

  550.         if (dateAndTime != null)

  551.             sb.append("  dateAndTime: " + dateAndTime + "\n");

  552.         if (certChecking != null)

  553.             sb.append("  Certificate being checked: " + certChecking + "\n");

  554.         sb.append("]");

  555.         return sb.toString();

  556.     }

  557. 

  558.     /**

  559.      * Decides whether a <code>CRL</code> should be selected.

  560.      *

  561.      * @param crl the <code>CRL</code> to be checked

  562.      * @return <code>true</code> if the <code>CRL</code> should be selected,

  563.      *         <code>false</code> otherwise

  564.      */

  565.     public boolean match(CRL crl) {

  566.         if (!(crl instanceof X509CRL)) {

  567.             return false;

  568. 	}

  569.         X509CRL xcrl = (X509CRL)crl;

  570. 

  571.         /* match on issuer name */

  572.         if (issuerNames != null) {

  573.             X500Principal issuer = xcrl.getIssuerX500Principal();

  574.             Iterator i = issuerX500Principals.iterator();

  575.             boolean found = false;

  576.             while (!found && i.hasNext()) {

  577. 	        if (i.next().equals(issuer)) {

  578. 	            found = true;

  579. 		}

  580. 	    }

  581.             if (!found) {

  582. 	        if (debug != null) {

  583. 	    	    debug.println("X509CRLSelector.match: issuer DNs "

  584. 			+ "don't match");

  585. 		}

  586. 	        return false;

  587.             }

  588.         }

  589. 	

  590. 	if ((minCRL != null) || (maxCRL != null)) {

  591. 	    /* Get CRL number extension from CRL */

  592. 	    byte[] crlNumExtVal = xcrl.getExtensionValue("2.5.29.20");

  593. 	    if (crlNumExtVal == null) {

  594. 		if (debug != null) {

  595. 		    debug.println("X509CRLSelector.match: no CRLNumber");

  596. 		}

  597. 	    }

  598. 	    BigInteger crlNum;

  599. 	    try {

  600. 		DerInputStream in = new DerInputStream(crlNumExtVal);

  601. 		byte[] encoded = in.getOctetString();

  602. 		CRLNumberExtension crlNumExt = 

  603. 		    new CRLNumberExtension(Boolean.FALSE, encoded);

  604. 		crlNum = (BigInteger)crlNumExt.get(CRLNumberExtension.NUMBER);

  605. 	    } catch (IOException ex) {

  606. 		if (debug != null) {

  607. 		    debug.println("X509CRLSelector.match: exception in "

  608. 			+ "decoding CRL number");

  609. 		}

  610. 		return false;

  611. 	    }

  612.     

  613. 	    /* match on minCRLNumber */

  614. 	    if (minCRL != null) {

  615. 		if (crlNum.compareTo(minCRL) < 0) {

  616. 		    if (debug != null) {

  617. 			debug.println("X509CRLSelector.match: CRLNumber too small");

  618. 		    }

  619. 		    return false;

  620. 		}

  621. 	    }

  622. 

  623. 	    /* match on maxCRLNumber */

  624. 	    if (maxCRL != null) {

  625. 		if (crlNum.compareTo(maxCRL) > 0) {

  626. 		    if (debug != null) {

  627. 			debug.println("X509CRLSelector.match: CRLNumber too large");

  628. 		    }

  629. 		    return false;

  630. 		}

  631. 	    }

  632. 	}

  633. 

  634. 

  635.         /* match on dateAndTime */

  636.         if (dateAndTime != null) {

  637. 	    Date crlThisUpdate = xcrl.getThisUpdate();

  638.             Date nextUpdate = xcrl.getNextUpdate();

  639.             if (nextUpdate == null) {

  640. 	        if (debug != null) {

  641. 		    debug.println("X509CRLSelector.match: nextUpdate null");

  642. 		}

  643. 	        return false;

  644.             }

  645.             if (crlThisUpdate.after(dateAndTime) 

  646. 	          || nextUpdate.before(dateAndTime)) {

  647. 	        if (debug != null) {

  648. 		    debug.println("X509CRLSelector.match: update out of range");

  649. 		}

  650. 	        return false;

  651.             }

  652.         }

  653. 

  654.         return true;

  655.     }

  656. 

  657.     /**

  658.      * Returns a copy of this object.

  659.      *

  660.      * @return the copy

  661.      */

  662.     public Object clone() {

  663.         try {

  664.             X509CRLSelector copy = (X509CRLSelector)super.clone();

  665.             if (issuerNames != null) {

  666.                 copy.issuerNames = 

  667. 			new HashSet<Object>(issuerNames);

  668.                 copy.issuerX500Principals = 

  669. 			new HashSet<X500Principal>(issuerX500Principals);

  670.             }

  671.             return copy;

  672.         } catch (CloneNotSupportedException e) {

  673.             /* Cannot happen */

  674.             throw new InternalError(e.toString());

  675.         }

  676.     }

  677. }