1
package org.bouncycastle.x509;
3
import org.bouncycastle.asn1.DERInteger;
4
import org.bouncycastle.asn1.x509.X509Extensions;
5
import org.bouncycastle.util.Arrays;
6
import org.bouncycastle.util.Selector;
7
import org.bouncycastle.x509.extension.X509ExtensionUtil;
9
import java.io.IOException;
10
import java.math.BigInteger;
11
import java.security.cert.CRL;
12
import java.security.cert.X509CRL;
13
import java.security.cert.X509CRLSelector;
16
* This class is a Selector implementation for X.509 certificate revocation
19
* @see org.bouncycastle.util.Selector
20
* @see org.bouncycastle.x509.X509Store
21
* @see org.bouncycastle.jce.provider.X509StoreCRLCollection
23
public class X509CRLStoreSelector
24
extends X509CRLSelector
27
private boolean deltaCRLIndicator = false;
29
private boolean completeCRLEnabled = false;
31
private BigInteger maxBaseCRLNumber = null;
33
private byte[] issuingDistributionPoint = null;
35
private boolean issuingDistributionPointEnabled = false;
37
private X509AttributeCertificate attrCertChecking;
40
* Returns if the issuing distribution point criteria should be applied.
41
* Defaults to <code>false</code>.
43
* You may also set the issuing distribution point criteria if not a missing
44
* issuing distribution point should be assumed.
46
* @return Returns if the issuing distribution point check is enabled.
48
public boolean isIssuingDistributionPointEnabled()
50
return issuingDistributionPointEnabled;
54
* Enables or disables the issuing distribution point check.
56
* @param issuingDistributionPointEnabled <code>true</code> to enable the
57
* issuing distribution point check.
59
public void setIssuingDistributionPointEnabled(
60
boolean issuingDistributionPointEnabled)
62
this.issuingDistributionPointEnabled = issuingDistributionPointEnabled;
66
* Sets the attribute certificate being checked. This is not a criterion.
67
* Rather, it is optional information that may help a {@link X509Store} find
68
* CRLs that would be relevant when checking revocation for the specified
69
* attribute certificate. If <code>null</code> is specified, then no such
70
* optional information is provided.
72
* @param attrCert the <code>X509AttributeCertificate</code> being checked (or
74
* @see #getAttrCertificateChecking()
76
public void setAttrCertificateChecking(X509AttributeCertificate attrCert)
78
attrCertChecking = attrCert;
82
* Returns the attribute certificate being checked.
84
* @return Returns the attribute certificate being checked.
85
* @see #setAttrCertificateChecking(X509AttributeCertificate)
87
public X509AttributeCertificate getAttrCertificateChecking()
89
return attrCertChecking;
92
public boolean match(Object obj)
94
if (!(obj instanceof X509CRL))
98
X509CRL crl = (X509CRL)obj;
99
DERInteger dci = null;
103
.getExtensionValue(X509Extensions.DeltaCRLIndicator.getId());
106
dci = DERInteger.getInstance(X509ExtensionUtil
107
.fromExtensionValue(bytes));
114
if (isDeltaCRLIndicatorEnabled())
121
if (isCompleteCRLEnabled())
131
if (maxBaseCRLNumber != null)
133
if (dci.getPositiveValue().compareTo(maxBaseCRLNumber) == 1)
139
if (issuingDistributionPointEnabled)
142
.getExtensionValue(X509Extensions.IssuingDistributionPoint
144
if (issuingDistributionPoint == null)
153
if (!Arrays.areEqual(idp, issuingDistributionPoint))
160
return super.match((X509CRL)obj);
163
public boolean match(CRL crl)
165
return match((Object)crl);
169
* Returns if this selector must match CRLs with the delta CRL indicator
170
* extension set. Defaults to <code>false</code>.
172
* @return Returns <code>true</code> if only CRLs with the delta CRL
173
* indicator extension are selected.
175
public boolean isDeltaCRLIndicatorEnabled()
177
return deltaCRLIndicator;
181
* If this is set to <code>true</code> the CRL reported contains the delta
182
* CRL indicator CRL extension.
184
* {@link #setCompleteCRLEnabled(boolean)} and
185
* {@link #setDeltaCRLIndicatorEnabled(boolean)} excluded each other.
187
* @param deltaCRLIndicator <code>true</code> if the delta CRL indicator
188
* extension must be in the CRL.
190
public void setDeltaCRLIndicatorEnabled(boolean deltaCRLIndicator)
192
this.deltaCRLIndicator = deltaCRLIndicator;
196
* Returns an instance of this from a <code>X509CRLSelector</code>.
198
* @param selector A <code>X509CRLSelector</code> instance.
199
* @return An instance of an <code>X509CRLStoreSelector</code>.
200
* @exception IllegalArgumentException if selector is null or creation
203
public static X509CRLStoreSelector getInstance(X509CRLSelector selector)
205
if (selector == null)
207
throw new IllegalArgumentException(
208
"cannot create from null selector");
210
X509CRLStoreSelector cs = new X509CRLStoreSelector();
211
cs.setCertificateChecking(selector.getCertificateChecking());
212
cs.setDateAndTime(selector.getDateAndTime());
215
cs.setIssuerNames(selector.getIssuerNames());
217
catch (IOException e)
220
throw new IllegalArgumentException(e.getMessage());
222
cs.setIssuers(selector.getIssuers());
223
cs.setMaxCRLNumber(selector.getMaxCRL());
224
cs.setMinCRLNumber(selector.getMinCRL());
228
public Object clone()
230
X509CRLStoreSelector sel = X509CRLStoreSelector.getInstance(this);
231
sel.deltaCRLIndicator = deltaCRLIndicator;
232
sel.completeCRLEnabled = completeCRLEnabled;
233
sel.maxBaseCRLNumber = maxBaseCRLNumber;
234
sel.attrCertChecking = attrCertChecking;
235
sel.issuingDistributionPointEnabled = issuingDistributionPointEnabled;
236
sel.issuingDistributionPoint = Arrays.clone(issuingDistributionPoint);
241
* If <code>true</code> only complete CRLs are returned. Defaults to
242
* <code>false</code>.
244
* @return <code>true</code> if only complete CRLs are returned.
246
public boolean isCompleteCRLEnabled()
248
return completeCRLEnabled;
252
* If set to <code>true</code> only complete CRLs are returned.
254
* {@link #setCompleteCRLEnabled(boolean)} and
255
* {@link #setDeltaCRLIndicatorEnabled(boolean)} excluded each other.
257
* @param completeCRLEnabled <code>true</code> if only complete CRLs
258
* should be returned.
260
public void setCompleteCRLEnabled(boolean completeCRLEnabled)
262
this.completeCRLEnabled = completeCRLEnabled;
266
* Get the maximum base CRL number. Defaults to <code>null</code>.
268
* @return Returns the maximum base CRL number.
269
* @see #setMaxBaseCRLNumber(BigInteger)
271
public BigInteger getMaxBaseCRLNumber()
273
return maxBaseCRLNumber;
277
* Sets the maximum base CRL number. Setting to <code>null</code> disables
280
* This is only meaningful for delta CRLs. Complete CRLs must have a CRL
281
* number which is greater or equal than the base number of the
284
* @param maxBaseCRLNumber The maximum base CRL number to set.
286
public void setMaxBaseCRLNumber(BigInteger maxBaseCRLNumber)
288
this.maxBaseCRLNumber = maxBaseCRLNumber;
292
* Returns the issuing distribution point. Defaults to <code>null</code>,
293
* which is a missing issuing distribution point extension.
295
* The internal byte array is cloned before it is returned.
297
* The criteria must be enable with
298
* {@link #setIssuingDistributionPointEnabled(boolean)}.
300
* @return Returns the issuing distribution point.
301
* @see #setIssuingDistributionPoint(byte[])
303
public byte[] getIssuingDistributionPoint()
305
return Arrays.clone(issuingDistributionPoint);
309
* Sets the issuing distribution point.
311
* The issuing distribution point extension is a CRL extension which
312
* identifies the scope and the distribution point of a CRL. The scope
313
* contains among others information about revocation reasons contained in
314
* the CRL. Delta CRLs and complete CRLs must have matching issuing
315
* distribution points.
317
* The byte array is cloned to protect against subsequent modifications.
319
* You must also enable or disable this criteria with
320
* {@link #setIssuingDistributionPointEnabled(boolean)}.
322
* @param issuingDistributionPoint The issuing distribution point to set.
323
* This is the DER encoded OCTET STRING extension value.
324
* @see #getIssuingDistributionPoint()
326
public void setIssuingDistributionPoint(byte[] issuingDistributionPoint)
328
this.issuingDistributionPoint = Arrays.clone(issuingDistributionPoint);