libjava/java/security/cert/X509CRLSelector.java

   1 /* X509CRLSelector.java -- selects X.509 CRLs by criteria.
   2    Copyright (C) 2004 Free Software Foundation, Inc.
   3
   4 This file is part of GNU Classpath.
   5
   6 GNU Classpath is free software; you can redistribute it and/or modify
   7 it under the terms of the GNU General Public License as published by
   8 the Free Software Foundation; either version 2, or (at your option)
   9 any later version.
  10
  11 GNU Classpath is distributed in the hope that it will be useful, but
  12 WITHOUT ANY WARRANTY; without even the implied warranty of
  13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  14 General Public License for more details.
  15
  16 You should have received a copy of the GNU General Public License
  17 along with GNU Classpath; see the file COPYING.  If not, write to the
  18 Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
  19 02111-1307 USA.
  20
  21 Linking this library statically or dynamically with other modules is
  22 making a combined work based on this library.  Thus, the terms and
  23 conditions of the GNU General Public License cover the whole
  24 combination.
  25
  26 As a special exception, the copyright holders of this library give you
  27 permission to link this library with independent modules to produce an
  28 executable, regardless of the license terms of these independent
  29 modules, and to copy and distribute the resulting executable under
  30 terms of your choice, provided that you also meet, for each linked
  31 independent module, the terms and conditions of the license of that
  32 module.  An independent module is a module which is not derived from
  33 or based on this library.  If you modify this library, you may extend
  34 this exception to your version of the library, but you are not
  35 obligated to do so.  If you do not wish to do so, delete this
  36 exception statement from your version. */
  37
  38
  39 package java.security.cert;
  40
  41 import gnu.java.security.action.GetPropertyAction;
  42 import gnu.java.security.der.DERReader;
  43 import gnu.java.security.der.DERValue;
  44
  45 import java.io.IOException;
  46 import java.io.InputStream;
  47 import java.math.BigInteger;
  48 import java.security.AccessController;
  49 import java.util.ArrayList;
  50 import java.util.Collection;
  51 import java.util.Collections;
  52 import java.util.Date;
  53 import java.util.Iterator;
  54 import java.util.LinkedList;
  55 import java.util.List;
  56
  57 import javax.security.auth.x500.X500Principal;
  58
  59 /**
  60  * A class for matching X.509 certificate revocation lists by criteria.
  61  *
  62  * <p>Use of this class requires extensive knowledge of the Internet
  63  * Engineering Task Force's Public Key Infrastructure (X.509). The primary
  64  * document describing this standard is <a
  65  * href="http://www.ietf.org/rfc/rfc3280.txt">RFC 3280: Internet X.509
  66  * Public Key Infrastructure Certificate and Certificate Revocation List
  67  * (CRL) Profile</a>.
  68  *
  69  * <p>Note that this class is not thread-safe. If multiple threads will
  70  * use or modify this class then they need to synchronize on the object.
  71  *
  72  * @author Casey Marshall (csm@gnu.org)
  73  */
  74 public class X509CRLSelector implements CRLSelector, Cloneable
  75 {
  76
  77   // Fields.
  78   // -------------------------------------------------------------------------
  79
  80   private static final String CRL_NUMBER_ID = "2.5.29.20";
  81
  82   private List issuerNames;
  83   private BigInteger maxCrlNumber;
  84   private BigInteger minCrlNumber;
  85   private Date date;
  86   private X509Certificate cert;
  87
  88   // Constructor.
  89   // -------------------------------------------------------------------------
  90
  91   /**
  92    * Creates a new CRL selector with no criteria enabled; i.e., every CRL
  93    * will be matched.
  94    */
  95   public X509CRLSelector()
  96   {
  97   }
  98
  99   // Instance methods.
 100   // -------------------------------------------------------------------------
 101
 102   /**
 103    * Add an issuer name to the set of issuer names criteria, as the DER
 104    * encoded form.
 105    *
 106    * @param name The name to add, as DER bytes.
 107    * @throws IOException If the argument is not a valid DER-encoding.
 108    */
 109   public void addIssuerName(byte[] name) throws IOException
 110   {
 111     X500Principal p = null;
 112     try
 113       {
 114         p = new X500Principal(name);
 115       }
 116     catch (IllegalArgumentException iae)
 117       {
 118         IOException ioe = new IOException("malformed name");
 119         ioe.initCause(iae);
 120         throw ioe;
 121       }
 122     if (issuerNames == null)
 123       issuerNames = new LinkedList();
 124     issuerNames.add(p);
 125   }
 126
 127   /**
 128    * Add an issuer name to the set of issuer names criteria, as a
 129    * String representation.
 130    *
 131    * @param name The name to add.
 132    * @throws IOException If the argument is not a valid name.
 133    */
 134   public void addIssuerName(String name) throws IOException
 135   {
 136     X500Principal p = null;
 137     try
 138       {
 139         p = new X500Principal(name);
 140       }
 141     catch (IllegalArgumentException iae)
 142       {
 143         IOException ioe = new IOException("malformed name: " + name);
 144         ioe.initCause(iae);
 145         throw ioe;
 146       }
 147     if (issuerNames == null)
 148       issuerNames = new LinkedList();
 149     issuerNames.add(p);
 150   }
 151
 152   /**
 153    * Sets the issuer names criterion. Pass <code>null</code> to clear this
 154    * value. CRLs matched by this selector must have an issuer name in this
 155    * set.
 156    *
 157    * @param names The issuer names.
 158    * @throws IOException If any of the elements in the collection is not
 159    *         a valid name.
 160    */
 161   public void setIssuerNames(Collection names) throws IOException
 162   {
 163     if (names == null)
 164       {
 165         issuerNames = null;
 166         return;
 167       }
 168     List l = new ArrayList(names.size());
 169     for (Iterator it = names.iterator(); it.hasNext(); )
 170       {
 171         Object o = it.next();
 172         if (o instanceof X500Principal)
 173           l.add(o);
 174         else if (o instanceof String)
 175           {
 176             try
 177               {
 178                 l.add(new X500Principal((String) o));
 179               }
 180             catch (IllegalArgumentException iae)
 181               {
 182                 IOException ioe = new IOException("malformed name: " + o);
 183                 ioe.initCause(iae);
 184                 throw ioe;
 185               }
 186           }
 187         else if (o instanceof byte[])
 188           {
 189             try
 190               {
 191                 l.add(new X500Principal((byte[]) o));
 192               }
 193             catch (IllegalArgumentException iae)
 194               {
 195                 IOException ioe = new IOException("malformed name");
 196                 ioe.initCause(iae);
 197                 throw ioe;
 198               }
 199           }
 200         else if (o instanceof InputStream)
 201           {
 202             try
 203               {
 204                 l.add(new X500Principal((InputStream) o));
 205               }
 206             catch (IllegalArgumentException iae)
 207               {
 208                 IOException ioe = new IOException("malformed name");
 209                 ioe.initCause(iae);
 210                 throw ioe;
 211               }
 212           }
 213         else
 214           throw new IOException("not a valid name: " +
 215                                 (o != null ? o.getClass().getName() : "null"));
 216
 217       }
 218     issuerNames = l;
 219   }
 220
 221   /**
 222    * Returns the set of issuer names that are matched by this selector,
 223    * or <code>null</code> if this criteria is not set. The returned
 224    * collection is not modifiable.
 225    *
 226    * @return The set of issuer names.
 227    */
 228   public Collection getIssuerNames()
 229   {
 230     if (issuerNames != null)
 231       return Collections.unmodifiableList(issuerNames);
 232     else
 233       return null;
 234   }
 235
 236   /**
 237    * Returns the maximum value of the CRLNumber extension present in
 238    * CRLs matched by this selector, or <code>null</code> if this
 239    * criteria is not set.
 240    *
 241    * @return The maximum CRL number.
 242    */
 243   public BigInteger getMaxCRL()
 244   {
 245     return maxCrlNumber;
 246   }
 247
 248   /**
 249    * Returns the minimum value of the CRLNumber extension present in
 250    * CRLs matched by this selector, or <code>null</code> if this
 251    * criteria is not set.
 252    *
 253    * @return The minimum CRL number.
 254    */
 255   public BigInteger getMinCRL()
 256   {
 257     return minCrlNumber;
 258   }
 259
 260   /**
 261    * Sets the maximum value of the CRLNumber extension present in CRLs
 262    * matched by this selector. Specify <code>null</code> to clear this
 263    * criterion.
 264    *
 265    * @param maxCrlNumber The maximum CRL number.
 266    */
 267   public void setMaxCRLNumber(BigInteger maxCrlNumber)
 268   {
 269     this.maxCrlNumber = maxCrlNumber;
 270   }
 271
 272   /**
 273    * Sets the minimum value of the CRLNumber extension present in CRLs
 274    * matched by this selector. Specify <code>null</code> to clear this
 275    * criterion.
 276    *
 277    * @param minCrlNumber The minimum CRL number.
 278    */
 279   public void setMinCRLNumber(BigInteger minCrlNumber)
 280   {
 281     this.minCrlNumber = minCrlNumber;
 282   }
 283
 284   /**
 285    * Returns the date when this CRL must be valid; that is, the date
 286    * must be after the thisUpdate date, but before the nextUpdate date.
 287    * Returns <code>null</code> if this criterion is not set.
 288    *
 289    * @return The date.
 290    */
 291   public Date getDateAndTime()
 292   {
 293     return date != null ? (Date) date.clone() : null;
 294   }
 295
 296   /**
 297    * Sets the date at which this CRL must be valid. Specify
 298    * <code>null</code> to clear this criterion.
 299    *
 300    * @param date The date.
 301    */
 302   public void setDateAndTime(Date date)
 303   {
 304     this.date = date != null ? (Date) date.clone() : null;
 305   }
 306
 307   /**
 308    * Returns the certificate being checked, or <code>null</code> if this
 309    * value is not set.
 310    *
 311    * @return The certificate.
 312    */
 313   public X509Certificate getCertificateChecking()
 314   {
 315     return cert;
 316   }
 317
 318   /**
 319    * Sets the certificate being checked. This is not a criterion, but
 320    * info used by certificate store implementations to aid in searching.
 321    *
 322    * @param cert The certificate.
 323    */
 324   public void setCertificateChecking(X509Certificate cert)
 325   {
 326     this.cert = cert;
 327   }
 328
 329   /**
 330    * Returns a string representation of this selector. The string will
 331    * only describe the enabled criteria, so if none are enabled this will
 332    * return a string that contains little else besides the class name.
 333    *
 334    * @return The string.
 335    */
 336   public String toString()
 337   {
 338     StringBuffer str = new StringBuffer(X509CRLSelector.class.getName());
 339     GetPropertyAction getProp = new GetPropertyAction("line.separator");
 340     String nl = (String) AccessController.doPrivileged(getProp);
 341     String eol = ";" + nl;
 342
 343     str.append(" {").append(nl);
 344     if (issuerNames != null)
 345       str.append("  issuer names = ").append(issuerNames).append(eol);
 346     if (maxCrlNumber != null)
 347       str.append("  max CRL = ").append(maxCrlNumber).append(eol);
 348     if (minCrlNumber != null)
 349       str.append("  min CRL = ").append(minCrlNumber).append(eol);
 350     if (date != null)
 351       str.append("  date = ").append(date).append(eol);
 352     if (cert != null)
 353       str.append("  certificate = ").append(cert).append(eol);
 354     str.append("}").append(nl);
 355     return str.toString();
 356   }
 357
 358   /**
 359    * Checks a CRL against the criteria of this selector, returning
 360    * <code>true</code> if the given CRL matches all the criteria.
 361    *
 362    * @param _crl The CRL being checked.
 363    * @return True if the CRL matches, false otherwise.
 364    */
 365   public boolean match(CRL _crl)
 366   {
 367     if (!(_crl instanceof X509CRL))
 368       return false;
 369     X509CRL crl = (X509CRL) _crl;
 370     if (issuerNames != null)
 371       {
 372         if (!issuerNames.contains(crl.getIssuerX500Principal()))
 373           return false;
 374       }
 375     BigInteger crlNumber = null;
 376     if (maxCrlNumber != null)
 377       {
 378         byte[] b = crl.getExtensionValue(CRL_NUMBER_ID);
 379         if (b == null)
 380           return false;
 381         try
 382           {
 383             DERValue val = DERReader.read(b);
 384             if (!(val.getValue() instanceof BigInteger))
 385               return false;
 386             crlNumber = (BigInteger) val.getValue();
 387           }
 388         catch (IOException ioe)
 389           {
 390             return false;
 391           }
 392         if (maxCrlNumber.compareTo(crlNumber) < 0)
 393           return false;
 394       }
 395     if (minCrlNumber != null)
 396       {
 397         if (crlNumber == null)
 398           {
 399             byte[] b = crl.getExtensionValue(CRL_NUMBER_ID);
 400             if (b == null)
 401               return false;
 402             try
 403               {
 404                 DERValue val = DERReader.read(b);
 405                 if (!(val.getValue() instanceof BigInteger))
 406                   return false;
 407                 crlNumber = (BigInteger) val.getValue();
 408               }
 409             catch (IOException ioe)
 410               {
 411                 return false;
 412               }
 413           }
 414         if (minCrlNumber.compareTo(crlNumber) > 0)
 415           return false;
 416       }
 417     if (date != null)
 418       {
 419         if (date.compareTo(crl.getThisUpdate()) < 0 ||
 420             date.compareTo(crl.getNextUpdate()) > 0)
 421           return false;
 422       }
 423     return true;
 424   }
 425
 426   /**
 427    * Returns a copy of this object.
 428    *
 429    * @return The copy.
 430    */
 431   public Object clone()
 432   {
 433     try
 434       {
 435         return super.clone();
 436       }
 437     catch (CloneNotSupportedException shouldNotHappen)
 438       {
 439         throw new Error(shouldNotHappen);
 440       }
 441   }
 442 }