001/* X509CRL.java --- X.509 Certificate Revocation List
002   Copyright (C) 1999, 2004  Free Software Foundation, Inc.
003
004This file is part of GNU Classpath.
005
006GNU Classpath is free software; you can redistribute it and/or modify
007it under the terms of the GNU General Public License as published by
008the Free Software Foundation; either version 2, or (at your option)
009any later version.
010 
011GNU Classpath is distributed in the hope that it will be useful, but
012WITHOUT ANY WARRANTY; without even the implied warranty of
013MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
014General Public License for more details.
015
016You should have received a copy of the GNU General Public License
017along with GNU Classpath; see the file COPYING.  If not, write to the
018Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
01902110-1301 USA.
020
021Linking this library statically or dynamically with other modules is
022making a combined work based on this library.  Thus, the terms and
023conditions of the GNU General Public License cover the whole
024combination.
025
026As a special exception, the copyright holders of this library give you
027permission to link this library with independent modules to produce an
028executable, regardless of the license terms of these independent
029modules, and to copy and distribute the resulting executable under
030terms of your choice, provided that you also meet, for each linked
031independent module, the terms and conditions of the license of that
032module.  An independent module is a module which is not derived from
033or based on this library.  If you modify this library, you may extend
034this exception to your version of the library, but you are not
035obligated to do so.  If you do not wish to do so, delete this
036exception statement from your version. */
037
038
039package java.security.cert;
040
041import java.math.BigInteger;
042import java.security.InvalidKeyException;
043import java.security.NoSuchAlgorithmException;
044import java.security.NoSuchProviderException;
045import java.security.Principal;
046import java.security.PublicKey;
047import java.security.SignatureException;
048import java.util.Date;
049import java.util.Set;
050
051import javax.security.auth.x500.X500Principal;
052
053/**
054   The X509CRL class is the abstract class used to manage
055   X.509 Certificate Revocation Lists. The CRL is a list of
056   time stamped entries which indicate which lists have been
057   revoked. The list is signed by a Certificate Authority (CA)
058   and made publically available in a repository.
059   
060   Each revoked certificate in the CRL is identified by its 
061   certificate serial number. When a piece of code uses a 
062   certificate, the certificates validity is checked by 
063   validating its signature and determing that it is not
064   only a recently acquired CRL. The recently aquired CRL
065   is depends on the local policy in affect. The CA issues
066   a new CRL periodically and entries are removed as the 
067   certificate expiration date is reached
068   
069   
070   A description of the X.509 v2 CRL follows below from rfc2459.
071   
072   "The X.509 v2 CRL syntax is as follows.  For signature calculation,
073   the data that is to be signed is ASN.1 DER encoded.  ASN.1 DER
074   encoding is a tag, length, value encoding system for each element.
075   
076           CertificateList  ::=  SEQUENCE  {
077                tbsCertList          TBSCertList,
078                signatureAlgorithm   AlgorithmIdentifier,
079                signatureValue       BIT STRING  }
080        
081           TBSCertList  ::=  SEQUENCE  {
082                version                 Version OPTIONAL,
083                                     -- if present, shall be v2
084                signature               AlgorithmIdentifier,
085                issuer                  Name,
086                thisUpdate              Time,
087                nextUpdate              Time OPTIONAL,
088                revokedCertificates     SEQUENCE OF SEQUENCE  {
089                     userCertificate         CertificateSerialNumber,
090                     revocationDate          Time,
091                     crlEntryExtensions      Extensions OPTIONAL
092                                                   -- if present, shall be v2
093                                          }  OPTIONAL,
094                crlExtensions           [0]  EXPLICIT Extensions OPTIONAL
095                                                   -- if present, shall be v2
096                                          }"
097
098        @author Mark Benvenuto
099
100        @since 1.2
101*/
102public abstract class X509CRL extends CRL implements X509Extension
103{
104
105  /**
106     Constructs a new X509CRL.
107  */
108  protected X509CRL()
109  {
110    super("X.509");
111  }
112
113  /**
114     Compares this X509CRL to other. It checks if the
115     object if instanceOf X509CRL and then checks if
116     the encoded form matches.
117
118     @param other An Object to test for equality
119
120     @return true if equal, false otherwise
121  */
122  public boolean equals(Object other)
123  {
124    if( other instanceof X509CRL ) {
125      try {
126        X509CRL x = (X509CRL) other;
127        if( getEncoded().length != x.getEncoded().length )
128          return false;
129
130        byte[] b1 = getEncoded();
131        byte[] b2 = x.getEncoded();
132
133        for( int i = 0; i < b1.length; i++ )
134          if( b1[i] != b2[i] )
135            return false;
136
137      } catch( CRLException crle ) { 
138        return false;
139      }
140      return true;
141    }
142    return false;
143  }
144
145  /**
146     Returns a hash code for this X509CRL in its encoded
147     form.
148
149     @return A hash code of this class
150  */
151  public int hashCode()
152  {
153    return super.hashCode();
154  }
155
156  /**
157     Gets the DER ASN.1 encoded format for this X.509 CRL.
158
159     @return byte array containg encoded form
160
161     @throws CRLException if an error occurs
162  */
163  public abstract byte[] getEncoded() throws CRLException;
164
165  /**
166     Verifies that this CRL was properly signed with the
167     PublicKey that corresponds to its private key. 
168
169     @param key PublicKey to verify with
170
171     @throws CRLException encoding error
172     @throws NoSuchAlgorithmException unsupported algorithm
173     @throws InvalidKeyException incorrect key
174     @throws NoSuchProviderException no provider
175     @throws SignatureException signature error
176  */
177  public abstract void verify(PublicKey key)
178    throws CRLException,
179    NoSuchAlgorithmException,
180    InvalidKeyException,
181    NoSuchProviderException,
182    SignatureException;
183
184  /**
185     Verifies that this CRL was properly signed with the
186     PublicKey that corresponds to its private key and uses
187     the signature engine provided by the provider. 
188
189     @param key PublicKey to verify with
190     @param sigProvider Provider to use for signature algorithm
191
192     @throws CRLException encoding error
193     @throws NoSuchAlgorithmException unsupported algorithm
194     @throws InvalidKeyException incorrect key
195     @throws NoSuchProviderException incorrect provider
196     @throws SignatureException signature error
197  */
198  public abstract void verify(PublicKey key,
199                              String sigProvider)
200    throws CRLException,
201    NoSuchAlgorithmException,
202    InvalidKeyException,
203    NoSuchProviderException,
204    SignatureException;
205
206  /**
207     Gets the version of this CRL.
208
209     The ASN.1 encoding is:
210
211     version                 Version OPTIONAL,
212     -- if present, shall be v2
213
214     Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
215
216     Consult rfc2459 for more information.
217
218     @return the version number, Ex: 1 or 2
219  */
220  public abstract int getVersion();
221
222  /**
223     Returns the issuer (issuer distinguished name) of the CRL.
224     The issuer is the entity who signed and issued the 
225     Certificate Revocation List.
226
227     The ASN.1 DER encoding is:
228
229     issuer                  Name,
230
231     Name ::= CHOICE {
232     RDNSequence }
233
234     RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
235
236     RelativeDistinguishedName ::=
237     SET OF AttributeTypeAndValue
238
239     AttributeTypeAndValue ::= SEQUENCE {
240     type     AttributeType,
241     value    AttributeValue }
242
243     AttributeType ::= OBJECT IDENTIFIER
244
245     AttributeValue ::= ANY DEFINED BY AttributeType
246
247     DirectoryString ::= CHOICE {
248     teletexString           TeletexString (SIZE (1..MAX)),
249     printableString         PrintableString (SIZE (1..MAX)),
250     universalString         UniversalString (SIZE (1..MAX)),
251     utf8String              UTF8String (SIZE (1.. MAX)),
252     bmpString               BMPString (SIZE (1..MAX)) }
253
254     Consult rfc2459 for more information.
255
256     @return the issuer in the Principal class
257  */
258  public abstract Principal getIssuerDN();
259
260  /**
261     Returns the thisUpdate date of the CRL.
262
263     The ASN.1 DER encoding is:
264
265     thisUpdate              Time,
266
267     Time ::= CHOICE {
268     utcTime        UTCTime,
269     generalTime    GeneralizedTime }
270
271     Consult rfc2459 for more information.
272
273     @return the thisUpdate date
274  */
275  public abstract Date getThisUpdate();
276
277  /*
278    Gets the nextUpdate field
279
280    The ASN.1 DER encoding is:
281
282    nextUpdate              Time OPTIONAL,
283
284    Time ::= CHOICE {
285    utcTime        UTCTime,
286    generalTime    GeneralizedTime }
287
288    Consult rfc2459 for more information.
289
290    @return the nextUpdate date
291  */
292  public abstract Date getNextUpdate();
293
294  /**
295     Gets the requeste dX509Entry for the specified
296     certificate serial number.
297
298     @return a X509CRLEntry representing the X.509 CRL entry
299  */
300  public abstract X509CRLEntry getRevokedCertificate(BigInteger serialNumber);
301
302  /**
303     Returns a Set of revoked certificates.
304
305     @return a set of revoked certificates.
306  */
307  public abstract Set<? extends X509CRLEntry> getRevokedCertificates();
308
309  /**
310     Returns the DER ASN.1 encoded tbsCertList which is 
311     the basic information of the list and associated certificates
312     in the encoded state. See top for more information.
313
314     The ASN.1 DER encoding is:
315
316     tbsCertList          TBSCertList,
317
318     Consult rfc2459 for more information.
319
320     @return byte array representing tbsCertList
321  */
322  public abstract byte[] getTBSCertList() throws CRLException;
323
324
325  /**
326     Returns the signature for the CRL. 
327
328     The ASN.1 DER encoding is:
329
330     signatureValue       BIT STRING
331
332     Consult rfc2459 for more information.
333  */
334  public abstract byte[] getSignature();
335
336  /**
337     Returns the signature algorithm used to sign the CRL. 
338     An examples is "SHA-1/DSA".
339
340     The ASN.1 DER encoding is:
341
342     signatureAlgorithm   AlgorithmIdentifier,
343
344     AlgorithmIdentifier  ::=  SEQUENCE  {
345     algorithm               OBJECT IDENTIFIER,
346     parameters              ANY DEFINED BY algorithm OPTIONAL  }
347
348     Consult rfc2459 for more information.
349
350     The algorithm name is determined from the OID.
351
352     @return a string with the signature algorithm name
353  */
354  public abstract String getSigAlgName();
355
356  /**
357     Returns the OID for the signature algorithm used.
358     Example "1.2.840.10040.4.3" is return for SHA-1 with DSA.\
359
360     The ASN.1 DER encoding for the example is:
361
362     id-dsa-with-sha1 ID  ::=  {
363     iso(1) member-body(2) us(840) x9-57 (10040)
364     x9cm(4) 3 }
365
366     Consult rfc2459 for more information.
367
368     @return a string containing the OID.
369  */
370  public abstract String getSigAlgOID();
371
372  /**
373     Returns the AlgorithmParameters in the encoded form
374     for the signature algorithm used. 
375
376     If access to the parameters is need, create an 
377     instance of AlgorithmParameters.
378
379     @return byte array containing algorithm parameters, null
380     if no parameters are present in CRL
381  */
382  public abstract byte[] getSigAlgParams();
383
384  // 1.4 instance methods.
385  // ------------------------------------------------------------------------
386
387  /**
388   * Returns the X.500 distinguished name of this CRL's issuer.
389   *
390   * @return The issuer's X.500 distinguished name.
391   * @since JDK 1.4
392   */
393  public X500Principal getIssuerX500Principal()
394  {
395    throw new UnsupportedOperationException();
396  }
397}