• Home
• org.digidoc4j.dss
• dss-spi
• 5.0.d4j.3
• source code
• OfflineCRLSource.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

eu.europa.esig.dss.x509.crl.OfflineCRLSource Maven / Gradle / Ivy

/**
 * DSS - Digital Signature Services
 * Copyright (C) 2015 European Commission, provided under the CEF programme
 *
 * This file is part of the "DSS - Digital Signature Services" project.
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 */
package eu.europa.esig.dss.x509.crl;

import java.security.cert.X509CRL;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import eu.europa.esig.dss.x509.CertificateToken;
import eu.europa.esig.dss.x509.RevocationOrigin;

/**
 * This class if a basic skeleton that is able to retrieve needed CRL data from
 * the contained list. The child need to retrieve the list of wrapped CRLs.
 */
public abstract class OfflineCRLSource implements CRLSource {

	private static final Logger LOG = LoggerFactory.getLogger(OfflineCRLSource.class);

	/**
	 * List of contained {@code X509CRL}s. One CRL list contains many
	 * CRLToken(s).
	 */
	protected List x509CRLList;

	protected Map validCRLTokenList = new HashMap();

	/**
	 * This {@code HashMap} contains the {@code CRLValidity} object for each
	 * {@code X509CRL}. It is used for performance reasons.
	 */
	protected Map crlValidityMap = new HashMap();

	@Override
	final public CRLToken findCrl(final CertificateToken certificateToken) {

		if (certificateToken == null) {

			throw new NullPointerException();
		}
		final CRLToken validCRLToken = validCRLTokenList.get(certificateToken);
		if (validCRLToken != null) {
			validCRLToken.setOrigin(RevocationOrigin.SIGNATURE);
			return validCRLToken;
		}
		final CertificateToken issuerToken = certificateToken.getIssuerToken();
		if (issuerToken == null) {

			throw new NullPointerException();
		}
		final CRLValidity bestCRLValidity = getBestCrlValidity(certificateToken, issuerToken);
		if (bestCRLValidity == null) {
			return null;
		}
		final CRLToken crlToken = new CRLToken(certificateToken, bestCRLValidity);
		crlToken.setOrigin(RevocationOrigin.SIGNATURE);
		validCRLTokenList.put(certificateToken, crlToken);
		return crlToken;
	}

	/**
	 * This method returns the best {@code CRLValidity} containing the most
	 * recent {@code X509CRL}.
	 *
	 * @param certificateToken
	 *            {@code CertificateToken} for with the CRL is issued
	 * @param issuerToken
	 *            {@code CertificateToken} representing the signing certificate
	 *            of the CRL
	 * @return {@code CRLValidity}
	 */
	private CRLValidity getBestCrlValidity(final CertificateToken certificateToken, final CertificateToken issuerToken) {

		CRLValidity bestCRLValidity = null;
		Date bestX509UpdateDate = null;

		for (final X509CRL x509CRL : x509CRLList) {
			final CRLValidity crlValidity = getCrlValidity(issuerToken, x509CRL);
			if (crlValidity == null) {
				continue;
			}
			if (issuerToken.equals(crlValidity.getIssuerToken()) && crlValidity.isValid()) {
				// check the overlapping of the [thisUpdate, nextUpdate] from the CRL and [notBefore, notAfter] from
				// the X509Certificate
				final Date thisUpdate = x509CRL.getThisUpdate();
				final Date nextUpdate = x509CRL.getNextUpdate();
				final Date notAfter = certificateToken.getNotAfter();
				final Date notBefore = certificateToken.getNotBefore();
				boolean periodAreIntersecting = thisUpdate.before(notAfter) && (nextUpdate != null && nextUpdate.after(notBefore));
				if (!periodAreIntersecting) {
					LOG.warn("The CRL was not issued during the validity period of the certificate! Certificate: " + certificateToken.getDSSIdAsString());
					continue;
				}

				if ((bestX509UpdateDate == null) || thisUpdate.after(bestX509UpdateDate)) {
					bestCRLValidity = crlValidity;
					bestX509UpdateDate = thisUpdate;
				}
			}
		}
		return bestCRLValidity;
	}

	/**
	 * This method returns {@code CRLValidity} object based on the given
	 * {@code X509CRL}. The check of the validity of the CRL is performed.
	 *
	 * @param issuerToken
	 *            {@code CertificateToken} issuer of the CRL
	 * @param x509CRL
	 *            {@code X509CRL} the validity to be checked
	 * @return returns updated {@code CRLValidity} object
	 */
	private synchronized CRLValidity getCrlValidity(final CertificateToken issuerToken, final X509CRL x509CRL) {

		CRLValidity crlValidity = crlValidityMap.get(x509CRL);
		if (crlValidity == null) {

			crlValidity = CRLUtils.isValidCRL(x509CRL, issuerToken);
			if (crlValidity.isValid()) {

				crlValidityMap.put(x509CRL, crlValidity);
			}
		}
		return crlValidity;
	}

	/**
	 * @return unmodifiable {@code List} of {@code X509CRL}s
	 */
	public List getContainedX509CRLs() {

		final List x509CRLs = Collections.unmodifiableList(x509CRLList);
		return x509CRLs;
	}
}