/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package java.security.cert;
import java.io.IOException;
import java.math.BigInteger;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import javax.security.auth.x500.X500Principal;
import org.apache.harmony.security.asn1.ASN1Integer;
import org.apache.harmony.security.asn1.ASN1OctetString;
import org.apache.harmony.security.x501.Name;
/**
* A CRL selector ({@code CRLSelector} for selecting {@code
* X509CRL}s that match the specified criteria.
* <p>
* When constructed, all criteria are set to default values that will match any
* {@code X509CRL}.
*/
public class X509CRLSelector implements CRLSelector {
// issuerNames criterion:
// contains X.500 distinguished names in CANONICAL format
private ArrayList<String> issuerNames;
// contains X500Principal objects corresponding to the names
// from issuerNames collection (above)
private ArrayList<X500Principal> issuerPrincipals;
// minCRLNumber criterion
private BigInteger minCRL;
// maxCRLNumber criterion
private BigInteger maxCRL;
// dateAndTime criterion
private long dateAndTime = -1;
// the certificate being checked
private X509Certificate certificateChecking;
/**
* Creates a new {@code X509CertSelector}.
*/
public X509CRLSelector() { }
/**
* Sets the criterion for the issuer distinguished names.
* <p>
* The CRL issuer must match at least one of the specified distinguished
* names.
*
* @param issuers
* the list of issuer distinguished names to match, or {@code
* null} if any issuer distinguished name will do.
*/
public void setIssuers(Collection<X500Principal> issuers) {
if (issuers == null) {
issuerNames = null;
issuerPrincipals = null;
return;
}
issuerNames = new ArrayList<String>(issuers.size());
issuerPrincipals = new ArrayList<X500Principal>(issuers);
for (X500Principal issuer: issuers) {
issuerNames.add(issuer.getName(X500Principal.CANONICAL));
}
}
/**
* <b>Do not use:</b> use {@link #setIssuers(Collection)} or one of
* {@link #addIssuerName} instead. Sets the criterion for the issuer
* distinguished names.
* <p>
* The CRL issuer must match at least one of the specified distinguished
* names.
* <p>
* The specified parameter {@code names} is a collection with an entry for
* each name to be included in the criterion. The name is specified as a
* {@code String} or a byte array specifying the name (in RFC 2253 or ASN.1
* DER encoded form)
*
* @param names
* the list of issuer distinguished names to match, or {@code
* null} if any issuer distinguished name will do.
* @throws IOException
* if parsing fails.
*/
public void setIssuerNames(Collection<?> names) throws IOException {
if (names == null) {
issuerNames = null;
issuerPrincipals = null;
return;
}
if (names.size() == 0) {
return;
}
issuerNames = new ArrayList<String>(names.size());
for (Object name: names) {
if (name instanceof String) {
issuerNames.add(
new Name((String) name).getName(
X500Principal.CANONICAL));
} else if (name instanceof byte[]) {
issuerNames.add(
new Name((byte[]) name).getName(
X500Principal.CANONICAL));
} else {
throw new IOException("name neither a String nor a byte[]");
}
}
}
/**
* Adds an issuer to the criterion for the issuer distinguished names.
* <p>
* The CRL issuer must match at least one of the specified distinguished
* names.
*
* @param issuer
* the issuer to add to the criterion
*/
public void addIssuer(X500Principal issuer) {
if (issuer == null) {
throw new NullPointerException("issuer == null");
}
if (issuerNames == null) {
issuerNames = new ArrayList<String>();
}
String name = issuer.getName(X500Principal.CANONICAL);
if (!issuerNames.contains(name)) {
issuerNames.add(name);
}
if (issuerPrincipals == null) {
issuerPrincipals = new ArrayList<X500Principal>(issuerNames.size());
}
// extend the list of issuer Principals
int size = issuerNames.size() - 1;
for (int i=issuerPrincipals.size(); i<size; i++) {
issuerPrincipals.add(new X500Principal(issuerNames.get(i)));
}
issuerPrincipals.add(issuer);
}
/**
* <b>Do not use:</b>, use {@link #addIssuer(X500Principal)} or
* {@link #addIssuerName(byte[])} instead. It can fail to match some CRLs
* because of a loss of encoding information in a RFC 2253 string.
* <p>
* Adds an issuer to the criterion for the issuer distinguished names. The
* CRK issuer must match at least one of the specified distinguished names.
*
* @param iss_name
* the RFC 2253 encoded name.
* @throws IOException
* if parsing fails.
*/
public void addIssuerName(String iss_name) throws IOException {
if (issuerNames == null) {
issuerNames = new ArrayList<String>();
}
if (iss_name == null) {
iss_name = "";
}
String name = new Name(iss_name).getName(X500Principal.CANONICAL);
if (!issuerNames.contains(name)) {
issuerNames.add(name);
}
}
/**
* Adds an issuer to the criterion for the issuer distinguished names.
* <p>
* The CRL issuer must match at least one of the specified distinguished
* names.
*
* @param iss_name
* the issuer to add to the criterion in ASN.1 DER encoded form.
* @throws IOException
* if parsing fails.
*/
public void addIssuerName(byte[] iss_name) throws IOException {
if (iss_name == null) {
throw new NullPointerException("iss_name == null");
}
if (issuerNames == null) {
issuerNames = new ArrayList<String>();
}
String name = new Name(iss_name).getName(X500Principal.CANONICAL);
if (!issuerNames.contains(name)) {
issuerNames.add(name);
}
}
/**
* Sets the criterion for the minimum CRL number.
* <p>
* The CRL must have a number extension with a value greater than or equal
* to the specified parameter.
*
* @param minCRL
* the minimum CRL number or null to not check the minimum CRL
* number
*/
public void setMinCRLNumber(BigInteger minCRL) {
this.minCRL = minCRL;
}
/**
* Sets the criterion for the maximum CRL number.
* <p>
* The CRL must have a number extension with a value less than or equal to
* the specified parameter.
*
* @param maxCRL
* the maximum CRL number or null to not check the maximum CRL
* number.
*/
public void setMaxCRLNumber(BigInteger maxCRL) {
this.maxCRL = maxCRL;
}
/**
* Sets the criterion for the CRL update period.
* <p>
* The CRL's {@code thisUpdate} value must be equal or before the specified
* date and the {@code nextUpdate} value must be after the specified date.
*
* @param dateAndTime
* the date to search for valid CRL's or {@code null} to not
* check the date.
*/
public void setDateAndTime(Date dateAndTime) {
if (dateAndTime == null) {
this.dateAndTime = -1;
return;
}
this.dateAndTime = dateAndTime.getTime();
}
/**
* Sets a certificate hint to find CRLs. It's not a criterion but may help
* finding relevant CRLs.
*
* @param cert
* the certificate hint or {@code null}.
*/
public void setCertificateChecking(X509Certificate cert) {
this.certificateChecking = cert;
}
/**
* Returns the criterion for the issuer distinguished names.
* <p>
* The CRL issuer must match at least one of the distinguished names.
*
* @return the unmodifiable list of issuer distinguished names to match, or
* {@code null} if any issuer distinguished name will do.
*/
public Collection<X500Principal> getIssuers() {
if (issuerNames == null) {
return null;
}
if (issuerPrincipals == null) {
issuerPrincipals = new ArrayList<X500Principal>(issuerNames.size());
}
int size = issuerNames.size();
// extend the list of issuer Principals
for (int i=issuerPrincipals.size(); i<size; i++) {
issuerPrincipals.add(new X500Principal(issuerNames.get(i)));
}
return Collections.unmodifiableCollection(issuerPrincipals);
}
/**
* Returns the criterion for the issuer distinguished names.
* <p>
* The CRL issuer must match at least one of the distinguished names.
*
* @return a copy of the list of issuer distinguished names to
* match, or {@code null} if any issuer distinguished name
* will do. The elements may be strings or ASN.1 DER
* encoded byte arrays.
*/
public Collection<Object> getIssuerNames() {
if (issuerNames == null) {
return null;
}
return (Collection<Object>) issuerNames.clone();
}
/**
* Returns the criterion for the minimum CRL number.
* <p>
* The CRL must have a number extension with a value greater than or equal
* to the returned value.
*
* @return the minimum CRL number or {@code null} if the minimum CRL number
* is not to be checked.
*/
public BigInteger getMinCRL() {
return minCRL;
}
/**
* Returns the criterion for the maximum CRL number.
* <p>
* The CRL must have a number extension with a value less than or equal to
* the returned value.
*
* @return the maximum CRL number or null if the maximum CRL number is not
* checked.
*/
public BigInteger getMaxCRL() {
return maxCRL;
}
/**
* Returns the criterion for the CRL update period.
* <p>
* The CRL's {@code thisUpdate} value must be equal or before the returned
* date and the {@code nextUpdate} value must be after the returned date.
*
* @return the date to search for valid CRL's or {@code null} if the date is
* not checked.
*/
public Date getDateAndTime() {
if (dateAndTime == -1) {
return null;
}
return new Date(dateAndTime);
}
/**
* Returns the certificate hint to find CRLs. It's not a criterion but may
* help finding relevant CRLs.
*
* @return the certificate hint or {@code null} if none set.
*/
public X509Certificate getCertificateChecking() {
return certificateChecking;
}
/**
* Returns a string representation of this {@code X509CRLSelector} instance.
*
* @return a string representation of this {@code X509CRLSelector} instance.
*/
public String toString() {
StringBuilder result = new StringBuilder();
result.append("X509CRLSelector:\n[");
if (issuerNames != null) {
result.append("\n IssuerNames:\n [");
int size = issuerNames.size();
for (int i=0; i<size; i++) {
result.append("\n "
+ issuerNames.get(i));
}
result.append("\n ]");
}
if (minCRL != null) {
result.append("\n minCRL: " + minCRL);
}
if (maxCRL != null) {
result.append("\n maxCRL: " + maxCRL);
}
if (dateAndTime != -1) {
result.append("\n dateAndTime: " + (new Date(dateAndTime)));
}
if (certificateChecking != null) {
result.append("\n certificateChecking: " + certificateChecking);
}
result.append("\n]");
return result.toString();
}
/**
* Returns whether the specified CRL matches all the criteria collected in
* this instance.
*
* @param crl
* the CRL to check.
* @return {@code true} if the CRL matches all the criteria, otherwise
* {@code false}.
*/
public boolean match(CRL crl) {
if (!(crl instanceof X509CRL)) {
return false;
}
X509CRL crlist = (X509CRL) crl;
if ((issuerNames != null) &&
// the search speed depends on the class of issuerNames
!(issuerNames.contains(
crlist.getIssuerX500Principal().getName(
X500Principal.CANONICAL)))) {
return false;
}
if ((minCRL != null) || (maxCRL != null)) {
try {
// As specified in rfc 3280 (http://www.ietf.org/rfc/rfc3280.txt)
// CRL Number Extension's OID is 2.5.29.20 .
byte[] bytes = crlist.getExtensionValue("2.5.29.20");
bytes = (byte[]) ASN1OctetString.getInstance().decode(bytes);
BigInteger crlNumber = new BigInteger((byte[])
ASN1Integer.getInstance().decode(bytes));
if ((minCRL != null) && (crlNumber.compareTo(minCRL) < 0)) {
return false;
}
if ((maxCRL != null) && (crlNumber.compareTo(maxCRL) > 0)) {
return false;
}
} catch (IOException e) {
return false;
}
}
if (dateAndTime != -1) {
Date thisUp = crlist.getThisUpdate();
Date nextUp = crlist.getNextUpdate();
if ((thisUp == null) || (nextUp == null)) {
return false;
}
if ((dateAndTime < thisUp.getTime())
|| (dateAndTime > nextUp.getTime())) {
return false;
}
}
return true;
}
/**
* Clones this {@code X509CRL} instance.
*
* @return the cloned instance.
*/
public Object clone() {
X509CRLSelector result;
try {
result = (X509CRLSelector) super.clone();
if (issuerNames != null) {
result.issuerNames = new ArrayList<String>(issuerNames);
}
} catch (CloneNotSupportedException e) {
result = null;
}
return result;
}
}