Home | History | Annotate | Download | only in conscrypt
      1 /*
      2  * Copyright (C) 2013 The Android Open Source Project
      3  *
      4  * Licensed under the Apache License, Version 2.0 (the "License");
      5  * you may not use this file except in compliance with the License.
      6  * You may obtain a copy of the License at
      7  *
      8  *      http://www.apache.org/licenses/LICENSE-2.0
      9  *
     10  * Unless required by applicable law or agreed to in writing, software
     11  * distributed under the License is distributed on an "AS IS" BASIS,
     12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     13  * See the License for the specific language governing permissions and
     14  * limitations under the License.
     15  */
     16 
     17 package org.conscrypt;
     18 
     19 import org.apache.harmony.security.utils.AlgNameMapper;
     20 import org.conscrypt.OpenSSLX509CertificateFactory.ParsingException;
     21 import java.io.ByteArrayInputStream;
     22 import java.io.ByteArrayOutputStream;
     23 import java.io.InputStream;
     24 import java.math.BigInteger;
     25 import java.security.InvalidKeyException;
     26 import java.security.NoSuchAlgorithmException;
     27 import java.security.NoSuchProviderException;
     28 import java.security.Principal;
     29 import java.security.PublicKey;
     30 import java.security.Signature;
     31 import java.security.SignatureException;
     32 import java.security.cert.CRLException;
     33 import java.security.cert.Certificate;
     34 import java.security.cert.X509CRL;
     35 import java.security.cert.X509CRLEntry;
     36 import java.security.cert.X509Certificate;
     37 import java.util.ArrayList;
     38 import java.util.Arrays;
     39 import java.util.Calendar;
     40 import java.util.Date;
     41 import java.util.HashSet;
     42 import java.util.List;
     43 import java.util.Set;
     44 import java.util.TimeZone;
     45 import javax.security.auth.x500.X500Principal;
     46 
     47 public class OpenSSLX509CRL extends X509CRL {
     48     private final long mContext;
     49 
     50     private OpenSSLX509CRL(long ctx) {
     51         mContext = ctx;
     52     }
     53 
     54     public static OpenSSLX509CRL fromX509DerInputStream(InputStream is) throws ParsingException {
     55         final OpenSSLBIOInputStream bis = new OpenSSLBIOInputStream(is);
     56 
     57         try {
     58             final long crlCtx = NativeCrypto.d2i_X509_CRL_bio(bis.getBioContext());
     59             if (crlCtx == 0) {
     60                 return null;
     61             }
     62             return new OpenSSLX509CRL(crlCtx);
     63         } catch (Exception e) {
     64             throw new ParsingException(e);
     65         } finally {
     66             NativeCrypto.BIO_free(bis.getBioContext());
     67         }
     68     }
     69 
     70     public static List<OpenSSLX509CRL> fromPkcs7DerInputStream(InputStream is)
     71             throws ParsingException {
     72         OpenSSLBIOInputStream bis = new OpenSSLBIOInputStream(is);
     73 
     74         final long[] certRefs;
     75         try {
     76             certRefs = NativeCrypto.d2i_PKCS7_bio(bis.getBioContext(), NativeCrypto.PKCS7_CRLS);
     77         } catch (Exception e) {
     78             throw new ParsingException(e);
     79         } finally {
     80             NativeCrypto.BIO_free(bis.getBioContext());
     81         }
     82 
     83         final List<OpenSSLX509CRL> certs = new ArrayList<OpenSSLX509CRL>(certRefs.length);
     84         for (int i = 0; i < certRefs.length; i++) {
     85             if (certRefs[i] == 0) {
     86                 continue;
     87             }
     88             certs.add(new OpenSSLX509CRL(certRefs[i]));
     89         }
     90         return certs;
     91     }
     92 
     93     public static OpenSSLX509CRL fromX509PemInputStream(InputStream is) throws ParsingException {
     94         final OpenSSLBIOInputStream bis = new OpenSSLBIOInputStream(is);
     95 
     96         try {
     97             final long crlCtx = NativeCrypto.PEM_read_bio_X509_CRL(bis.getBioContext());
     98             if (crlCtx == 0) {
     99                 return null;
    100             }
    101             return new OpenSSLX509CRL(crlCtx);
    102         } catch (Exception e) {
    103             throw new ParsingException(e);
    104         } finally {
    105             NativeCrypto.BIO_free(bis.getBioContext());
    106         }
    107     }
    108 
    109     public static List<OpenSSLX509CRL> fromPkcs7PemInputStream(InputStream is)
    110             throws ParsingException {
    111         OpenSSLBIOInputStream bis = new OpenSSLBIOInputStream(is);
    112 
    113         final long[] certRefs;
    114         try {
    115             certRefs = NativeCrypto.PEM_read_bio_PKCS7(bis.getBioContext(),
    116                     NativeCrypto.PKCS7_CRLS);
    117         } catch (Exception e) {
    118             throw new ParsingException(e);
    119         } finally {
    120             NativeCrypto.BIO_free(bis.getBioContext());
    121         }
    122 
    123         final List<OpenSSLX509CRL> certs = new ArrayList<OpenSSLX509CRL>(certRefs.length);
    124         for (int i = 0; i < certRefs.length; i++) {
    125             if (certRefs[i] == 0) {
    126                 continue;
    127             }
    128             certs.add(new OpenSSLX509CRL(certRefs[i]));
    129         }
    130         return certs;
    131     }
    132 
    133     @Override
    134     public Set<String> getCriticalExtensionOIDs() {
    135         String[] critOids =
    136                 NativeCrypto.get_X509_CRL_ext_oids(mContext, NativeCrypto.EXTENSION_TYPE_CRITICAL);
    137 
    138         /*
    139          * This API has a special case that if there are no extensions, we
    140          * should return null. So if we have no critical extensions, we'll check
    141          * non-critical extensions.
    142          */
    143         if ((critOids.length == 0)
    144                 && (NativeCrypto.get_X509_CRL_ext_oids(mContext,
    145                         NativeCrypto.EXTENSION_TYPE_NON_CRITICAL).length == 0)) {
    146             return null;
    147         }
    148 
    149         return new HashSet<String>(Arrays.asList(critOids));
    150     }
    151 
    152     @Override
    153     public byte[] getExtensionValue(String oid) {
    154         return NativeCrypto.X509_CRL_get_ext_oid(mContext, oid);
    155     }
    156 
    157     @Override
    158     public Set<String> getNonCriticalExtensionOIDs() {
    159         String[] nonCritOids =
    160                 NativeCrypto.get_X509_CRL_ext_oids(mContext,
    161                         NativeCrypto.EXTENSION_TYPE_NON_CRITICAL);
    162 
    163         /*
    164          * This API has a special case that if there are no extensions, we
    165          * should return null. So if we have no non-critical extensions, we'll
    166          * check critical extensions.
    167          */
    168         if ((nonCritOids.length == 0)
    169                 && (NativeCrypto.get_X509_CRL_ext_oids(mContext,
    170                         NativeCrypto.EXTENSION_TYPE_CRITICAL).length == 0)) {
    171             return null;
    172         }
    173 
    174         return new HashSet<String>(Arrays.asList(nonCritOids));
    175     }
    176 
    177     @Override
    178     public boolean hasUnsupportedCriticalExtension() {
    179         final String[] criticalOids =
    180                 NativeCrypto.get_X509_CRL_ext_oids(mContext, NativeCrypto.EXTENSION_TYPE_CRITICAL);
    181         for (String oid : criticalOids) {
    182             final long extensionRef = NativeCrypto.X509_CRL_get_ext(mContext, oid);
    183             if (NativeCrypto.X509_supported_extension(extensionRef) != 1) {
    184                 return true;
    185             }
    186         }
    187 
    188         return false;
    189     }
    190 
    191     @Override
    192     public byte[] getEncoded() throws CRLException {
    193         return NativeCrypto.i2d_X509_CRL(mContext);
    194     }
    195 
    196     private void verifyOpenSSL(OpenSSLKey pkey) throws CRLException, NoSuchAlgorithmException,
    197             InvalidKeyException, NoSuchProviderException, SignatureException {
    198         NativeCrypto.X509_CRL_verify(mContext, pkey.getPkeyContext());
    199     }
    200 
    201     private void verifyInternal(PublicKey key, String sigProvider) throws CRLException,
    202             NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException,
    203             SignatureException {
    204         String sigAlg = getSigAlgName();
    205         if (sigAlg == null) {
    206             sigAlg = getSigAlgOID();
    207         }
    208 
    209         final Signature sig;
    210         if (sigProvider == null) {
    211             sig = Signature.getInstance(sigAlg);
    212         } else {
    213             sig = Signature.getInstance(sigAlg, sigProvider);
    214         }
    215 
    216         sig.initVerify(key);
    217         sig.update(getTBSCertList());
    218         if (!sig.verify(getSignature())) {
    219             throw new SignatureException("signature did not verify");
    220         }
    221     }
    222 
    223     @Override
    224     public void verify(PublicKey key) throws CRLException, NoSuchAlgorithmException,
    225             InvalidKeyException, NoSuchProviderException, SignatureException {
    226         if (key instanceof OpenSSLKeyHolder) {
    227             OpenSSLKey pkey = ((OpenSSLKeyHolder) key).getOpenSSLKey();
    228             verifyOpenSSL(pkey);
    229             return;
    230         }
    231 
    232         verifyInternal(key, null);
    233     }
    234 
    235     @Override
    236     public void verify(PublicKey key, String sigProvider) throws CRLException,
    237             NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException,
    238             SignatureException {
    239         verifyInternal(key, sigProvider);
    240     }
    241 
    242     @Override
    243     public int getVersion() {
    244         return (int) NativeCrypto.X509_CRL_get_version(mContext) + 1;
    245     }
    246 
    247     @Override
    248     public Principal getIssuerDN() {
    249         return getIssuerX500Principal();
    250     }
    251 
    252     @Override
    253     public X500Principal getIssuerX500Principal() {
    254         final byte[] issuer = NativeCrypto.X509_CRL_get_issuer_name(mContext);
    255         return new X500Principal(issuer);
    256     }
    257 
    258     @Override
    259     public Date getThisUpdate() {
    260         Calendar calendar = Calendar.getInstance(TimeZone.getTimeZone("UTC"));
    261         calendar.set(Calendar.MILLISECOND, 0);
    262         NativeCrypto.ASN1_TIME_to_Calendar(NativeCrypto.X509_CRL_get_lastUpdate(mContext),
    263                 calendar);
    264         return calendar.getTime();
    265     }
    266 
    267     @Override
    268     public Date getNextUpdate() {
    269         Calendar calendar = Calendar.getInstance(TimeZone.getTimeZone("UTC"));
    270         calendar.set(Calendar.MILLISECOND, 0);
    271         NativeCrypto.ASN1_TIME_to_Calendar(NativeCrypto.X509_CRL_get_nextUpdate(mContext),
    272                 calendar);
    273         return calendar.getTime();
    274     }
    275 
    276     @Override
    277     public X509CRLEntry getRevokedCertificate(BigInteger serialNumber) {
    278         final long revokedRef = NativeCrypto.X509_CRL_get0_by_serial(mContext,
    279                 serialNumber.toByteArray());
    280         if (revokedRef == 0) {
    281             return null;
    282         }
    283 
    284         return new OpenSSLX509CRLEntry(NativeCrypto.X509_REVOKED_dup(revokedRef));
    285     }
    286 
    287     @Override
    288     public X509CRLEntry getRevokedCertificate(X509Certificate certificate) {
    289         if (certificate instanceof OpenSSLX509Certificate) {
    290             OpenSSLX509Certificate osslCert = (OpenSSLX509Certificate) certificate;
    291             final long x509RevokedRef = NativeCrypto.X509_CRL_get0_by_cert(mContext,
    292                     osslCert.getContext());
    293 
    294             if (x509RevokedRef == 0) {
    295                 return null;
    296             }
    297 
    298             return new OpenSSLX509CRLEntry(NativeCrypto.X509_REVOKED_dup(x509RevokedRef));
    299         }
    300 
    301         return getRevokedCertificate(certificate.getSerialNumber());
    302     }
    303 
    304     @Override
    305     public Set<? extends X509CRLEntry> getRevokedCertificates() {
    306         final long[] entryRefs = NativeCrypto.X509_CRL_get_REVOKED(mContext);
    307         if (entryRefs == null || entryRefs.length == 0) {
    308             return null;
    309         }
    310 
    311         final Set<OpenSSLX509CRLEntry> crlSet = new HashSet<OpenSSLX509CRLEntry>();
    312         for (long entryRef : entryRefs) {
    313             crlSet.add(new OpenSSLX509CRLEntry(entryRef));
    314         }
    315 
    316         return crlSet;
    317     }
    318 
    319     @Override
    320     public byte[] getTBSCertList() throws CRLException {
    321         return NativeCrypto.get_X509_CRL_crl_enc(mContext);
    322     }
    323 
    324     @Override
    325     public byte[] getSignature() {
    326         return NativeCrypto.get_X509_CRL_signature(mContext);
    327     }
    328 
    329     @Override
    330     public String getSigAlgName() {
    331         return AlgNameMapper.map2AlgName(getSigAlgOID());
    332     }
    333 
    334     @Override
    335     public String getSigAlgOID() {
    336         return NativeCrypto.get_X509_CRL_sig_alg_oid(mContext);
    337     }
    338 
    339     @Override
    340     public byte[] getSigAlgParams() {
    341         return NativeCrypto.get_X509_CRL_sig_alg_parameter(mContext);
    342     }
    343 
    344     @Override
    345     public boolean isRevoked(Certificate cert) {
    346         if (!(cert instanceof X509Certificate)) {
    347             return false;
    348         }
    349 
    350         final OpenSSLX509Certificate osslCert;
    351         if (cert instanceof OpenSSLX509Certificate) {
    352             osslCert = (OpenSSLX509Certificate) cert;
    353         } else {
    354             try {
    355                 osslCert = OpenSSLX509Certificate.fromX509DerInputStream(new ByteArrayInputStream(
    356                         cert.getEncoded()));
    357             } catch (Exception e) {
    358                 throw new RuntimeException("cannot convert certificate", e);
    359             }
    360         }
    361 
    362         final long x509RevokedRef = NativeCrypto.X509_CRL_get0_by_cert(mContext,
    363                 osslCert.getContext());
    364 
    365         return x509RevokedRef != 0;
    366     }
    367 
    368     @Override
    369     public String toString() {
    370         ByteArrayOutputStream os = new ByteArrayOutputStream();
    371         final long bioCtx = NativeCrypto.create_BIO_OutputStream(os);
    372         try {
    373             NativeCrypto.X509_CRL_print(bioCtx, mContext);
    374             return os.toString();
    375         } finally {
    376             NativeCrypto.BIO_free(bioCtx);
    377         }
    378     }
    379 
    380     @Override
    381     protected void finalize() throws Throwable {
    382         try {
    383             if (mContext != 0) {
    384                 NativeCrypto.X509_CRL_free(mContext);
    385             }
    386         } finally {
    387             super.finalize();
    388         }
    389     }
    390 
    391 }
    392