Path: blob/aarch64-shenandoah-jdk8u272-b10/jdk/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java
38923 views
/*1* Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved.2* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.3*4* This code is free software; you can redistribute it and/or modify it5* under the terms of the GNU General Public License version 2 only, as6* published by the Free Software Foundation. Oracle designates this7* particular file as subject to the "Classpath" exception as provided8* by Oracle in the LICENSE file that accompanied this code.9*10* This code is distributed in the hope that it will be useful, but WITHOUT11* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or12* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License13* version 2 for more details (a copy is included in the LICENSE file that14* accompanied this code).15*16* You should have received a copy of the GNU General Public License version17* 2 along with this work; if not, write to the Free Software Foundation,18* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.19*20* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA21* or visit www.oracle.com if you need additional information or have any22* questions.23*/2425package sun.security.provider.certpath;2627import java.io.*;28import java.net.URI;29import java.security.*;30import java.security.cert.*;31import javax.security.auth.x500.X500Principal;32import java.util.*;3334import sun.security.util.Debug;35import sun.security.validator.Validator;36import static sun.security.x509.PKIXExtensions.*;37import sun.security.x509.*;3839/**40* Class to obtain CRLs via the CRLDistributionPoints extension.41* Note that the functionality of this class must be explicitly enabled42* via a system property, see the USE_CRLDP variable below.43*44* This class uses the URICertStore class to fetch CRLs. The URICertStore45* class also implements CRL caching: see the class description for more46* information.47*48* @author Andreas Sterbenz49* @author Sean Mullan50* @since 1.4.251*/52public class DistributionPointFetcher {5354private static final Debug debug = Debug.getInstance("certpath");5556private static final boolean[] ALL_REASONS =57{true, true, true, true, true, true, true, true, true};5859/**60* Private instantiation only.61*/62private DistributionPointFetcher() {}6364/**65* Return the X509CRLs matching this selector. The selector must be66* an X509CRLSelector with certificateChecking set.67*/68public static Collection<X509CRL> getCRLs(X509CRLSelector selector,69boolean signFlag, PublicKey prevKey, String provider,70List<CertStore> certStores, boolean[] reasonsMask,71Set<TrustAnchor> trustAnchors, Date validity, String variant)72throws CertStoreException73{74return getCRLs(selector, signFlag, prevKey, null, provider, certStores,75reasonsMask, trustAnchors, validity, variant, null);76}77/**78* Return the X509CRLs matching this selector. The selector must be79* an X509CRLSelector with certificateChecking set.80*/81// Called by com.sun.deploy.security.RevocationChecker82public static Collection<X509CRL> getCRLs(X509CRLSelector selector,83boolean signFlag,84PublicKey prevKey,85String provider,86List<CertStore> certStores,87boolean[] reasonsMask,88Set<TrustAnchor> trustAnchors,89Date validity)90throws CertStoreException91{92if (trustAnchors.isEmpty()) {93throw new CertStoreException(94"at least one TrustAnchor must be specified");95}96TrustAnchor anchor = trustAnchors.iterator().next();97return getCRLs(selector, signFlag, prevKey, null, provider, certStores,98reasonsMask, trustAnchors, validity,99Validator.VAR_PLUGIN_CODE_SIGNING, anchor);100}101102/**103* Return the X509CRLs matching this selector. The selector must be104* an X509CRLSelector with certificateChecking set.105*/106public static Collection<X509CRL> getCRLs(X509CRLSelector selector,107boolean signFlag,108PublicKey prevKey,109X509Certificate prevCert,110String provider,111List<CertStore> certStores,112boolean[] reasonsMask,113Set<TrustAnchor> trustAnchors,114Date validity,115String variant,116TrustAnchor anchor)117throws CertStoreException118{119X509Certificate cert = selector.getCertificateChecking();120if (cert == null) {121return Collections.emptySet();122}123try {124X509CertImpl certImpl = X509CertImpl.toImpl(cert);125if (debug != null) {126debug.println("DistributionPointFetcher.getCRLs: Checking "127+ "CRLDPs for " + certImpl.getSubjectX500Principal());128}129CRLDistributionPointsExtension ext =130certImpl.getCRLDistributionPointsExtension();131if (ext == null) {132if (debug != null) {133debug.println("No CRLDP ext");134}135return Collections.emptySet();136}137List<DistributionPoint> points =138ext.get(CRLDistributionPointsExtension.POINTS);139Set<X509CRL> results = new HashSet<>();140for (Iterator<DistributionPoint> t = points.iterator();141t.hasNext() && !Arrays.equals(reasonsMask, ALL_REASONS); ) {142DistributionPoint point = t.next();143Collection<X509CRL> crls = getCRLs(selector, certImpl,144point, reasonsMask, signFlag, prevKey, prevCert, provider,145certStores, trustAnchors, validity, variant, anchor);146results.addAll(crls);147}148if (debug != null) {149debug.println("Returning " + results.size() + " CRLs");150}151return results;152} catch (CertificateException | IOException e) {153return Collections.emptySet();154}155}156157/**158* Download CRLs from the given distribution point, verify and return them.159* See the top of the class for current limitations.160*161* @throws CertStoreException if there is an error retrieving the CRLs162* from one of the GeneralNames and no other CRLs are retrieved from163* the other GeneralNames. If more than one GeneralName throws an164* exception then the one from the last GeneralName is thrown.165*/166private static Collection<X509CRL> getCRLs(X509CRLSelector selector,167X509CertImpl certImpl, DistributionPoint point, boolean[] reasonsMask,168boolean signFlag, PublicKey prevKey, X509Certificate prevCert,169String provider, List<CertStore> certStores,170Set<TrustAnchor> trustAnchors, Date validity, String variant,171TrustAnchor anchor)172throws CertStoreException {173174// check for full name175GeneralNames fullName = point.getFullName();176if (fullName == null) {177// check for relative name178RDN relativeName = point.getRelativeName();179if (relativeName == null) {180return Collections.emptySet();181}182try {183GeneralNames crlIssuers = point.getCRLIssuer();184if (crlIssuers == null) {185fullName = getFullNames186((X500Name) certImpl.getIssuerDN(), relativeName);187} else {188// should only be one CRL Issuer189if (crlIssuers.size() != 1) {190return Collections.emptySet();191} else {192fullName = getFullNames193((X500Name) crlIssuers.get(0).getName(), relativeName);194}195}196} catch (IOException ioe) {197return Collections.emptySet();198}199}200Collection<X509CRL> possibleCRLs = new ArrayList<>();201CertStoreException savedCSE = null;202for (Iterator<GeneralName> t = fullName.iterator(); t.hasNext(); ) {203try {204GeneralName name = t.next();205if (name.getType() == GeneralNameInterface.NAME_DIRECTORY) {206X500Name x500Name = (X500Name) name.getName();207possibleCRLs.addAll(208getCRLs(x500Name, certImpl.getIssuerX500Principal(),209certStores));210} else if (name.getType() == GeneralNameInterface.NAME_URI) {211URIName uriName = (URIName)name.getName();212X509CRL crl = getCRL(uriName);213if (crl != null) {214possibleCRLs.add(crl);215}216}217} catch (CertStoreException cse) {218savedCSE = cse;219}220}221// only throw CertStoreException if no CRLs are retrieved222if (possibleCRLs.isEmpty() && savedCSE != null) {223throw savedCSE;224}225226Collection<X509CRL> crls = new ArrayList<>(2);227for (X509CRL crl : possibleCRLs) {228try {229// make sure issuer is not set230// we check the issuer in verifyCRLs method231selector.setIssuerNames(null);232if (selector.match(crl) && verifyCRL(certImpl, point, crl,233reasonsMask, signFlag, prevKey, prevCert, provider,234trustAnchors, certStores, validity, variant, anchor)) {235crls.add(crl);236}237} catch (IOException | CRLException e) {238// don't add the CRL239if (debug != null) {240debug.println("Exception verifying CRL: " + e.getMessage());241e.printStackTrace();242}243}244}245return crls;246}247248/**249* Download CRL from given URI.250*/251private static X509CRL getCRL(URIName name) throws CertStoreException {252URI uri = name.getURI();253if (debug != null) {254debug.println("Trying to fetch CRL from DP " + uri);255}256CertStore ucs = null;257try {258ucs = URICertStore.getInstance259(new URICertStore.URICertStoreParameters(uri));260} catch (InvalidAlgorithmParameterException |261NoSuchAlgorithmException e) {262if (debug != null) {263debug.println("Can't create URICertStore: " + e.getMessage());264}265return null;266}267268Collection<? extends CRL> crls = ucs.getCRLs(null);269if (crls.isEmpty()) {270return null;271} else {272return (X509CRL) crls.iterator().next();273}274}275276/**277* Fetch CRLs from certStores.278*279* @throws CertStoreException if there is an error retrieving the CRLs from280* one of the CertStores and no other CRLs are retrieved from281* the other CertStores. If more than one CertStore throws an282* exception then the one from the last CertStore is thrown.283*/284private static Collection<X509CRL> getCRLs(X500Name name,285X500Principal certIssuer,286List<CertStore> certStores)287throws CertStoreException288{289if (debug != null) {290debug.println("Trying to fetch CRL from DP " + name);291}292X509CRLSelector xcs = new X509CRLSelector();293xcs.addIssuer(name.asX500Principal());294xcs.addIssuer(certIssuer);295Collection<X509CRL> crls = new ArrayList<>();296CertStoreException savedCSE = null;297for (CertStore store : certStores) {298try {299for (CRL crl : store.getCRLs(xcs)) {300crls.add((X509CRL)crl);301}302} catch (CertStoreException cse) {303if (debug != null) {304debug.println("Exception while retrieving " +305"CRLs: " + cse);306cse.printStackTrace();307}308savedCSE = new PKIX.CertStoreTypeException(store.getType(),cse);309}310}311// only throw CertStoreException if no CRLs are retrieved312if (crls.isEmpty() && savedCSE != null) {313throw savedCSE;314} else {315return crls;316}317}318319/**320* Verifies a CRL for the given certificate's Distribution Point to321* ensure it is appropriate for checking the revocation status.322*323* @param certImpl the certificate whose revocation status is being checked324* @param point one of the distribution points of the certificate325* @param crl the CRL326* @param reasonsMask the interim reasons mask327* @param signFlag true if prevKey can be used to verify the CRL328* @param prevKey the public key that verifies the certificate's signature329* @param prevCert the certificate whose public key verifies330* {@code certImpl}'s signature331* @param provider the Signature provider to use332* @param trustAnchors a {@code Set} of {@code TrustAnchor}s333* @param certStores a {@code List} of {@code CertStore}s to be used in334* finding certificates and CRLs335* @param validity the time for which the validity of the CRL issuer's336* certification path should be determined337* @return true if ok, false if not338*/339static boolean verifyCRL(X509CertImpl certImpl, DistributionPoint point,340X509CRL crl, boolean[] reasonsMask, boolean signFlag,341PublicKey prevKey, X509Certificate prevCert, String provider,342Set<TrustAnchor> trustAnchors, List<CertStore> certStores,343Date validity, String variant, TrustAnchor anchor)344throws CRLException, IOException {345346if (debug != null) {347debug.println("DistributionPointFetcher.verifyCRL: " +348"checking revocation status for" +349"\n SN: " + Debug.toHexString(certImpl.getSerialNumber()) +350"\n Subject: " + certImpl.getSubjectX500Principal() +351"\n Issuer: " + certImpl.getIssuerX500Principal());352}353354boolean indirectCRL = false;355X509CRLImpl crlImpl = X509CRLImpl.toImpl(crl);356IssuingDistributionPointExtension idpExt =357crlImpl.getIssuingDistributionPointExtension();358X500Name certIssuer = (X500Name) certImpl.getIssuerDN();359X500Name crlIssuer = (X500Name) crlImpl.getIssuerDN();360361// if crlIssuer is set, verify that it matches the issuer of the362// CRL and the CRL contains an IDP extension with the indirectCRL363// boolean asserted. Otherwise, verify that the CRL issuer matches the364// certificate issuer.365GeneralNames pointCrlIssuers = point.getCRLIssuer();366X500Name pointCrlIssuer = null;367if (pointCrlIssuers != null) {368if (idpExt == null ||369((Boolean) idpExt.get370(IssuingDistributionPointExtension.INDIRECT_CRL)).equals371(Boolean.FALSE)) {372return false;373}374boolean match = false;375for (Iterator<GeneralName> t = pointCrlIssuers.iterator();376!match && t.hasNext(); ) {377GeneralNameInterface name = t.next().getName();378if (crlIssuer.equals(name) == true) {379pointCrlIssuer = (X500Name) name;380match = true;381}382}383if (match == false) {384return false;385}386387// we accept the case that a CRL issuer provide status388// information for itself.389if (issues(certImpl, crlImpl, provider)) {390// reset the public key used to verify the CRL's signature391prevKey = certImpl.getPublicKey();392} else {393indirectCRL = true;394}395} else if (crlIssuer.equals(certIssuer) == false) {396if (debug != null) {397debug.println("crl issuer does not equal cert issuer.\n" +398"crl issuer: " + crlIssuer + "\n" +399"cert issuer: " + certIssuer);400}401return false;402} else {403// in case of self-issued indirect CRL issuer.404KeyIdentifier certAKID = certImpl.getAuthKeyId();405KeyIdentifier crlAKID = crlImpl.getAuthKeyId();406407if (certAKID == null || crlAKID == null) {408// cannot recognize indirect CRL without AKID409410// we accept the case that a CRL issuer provide status411// information for itself.412if (issues(certImpl, crlImpl, provider)) {413// reset the public key used to verify the CRL's signature414prevKey = certImpl.getPublicKey();415}416} else if (!certAKID.equals(crlAKID)) {417// we accept the case that a CRL issuer provide status418// information for itself.419if (issues(certImpl, crlImpl, provider)) {420// reset the public key used to verify the CRL's signature421prevKey = certImpl.getPublicKey();422} else {423indirectCRL = true;424}425}426}427428if (!indirectCRL && !signFlag) {429// cert's key cannot be used to verify the CRL430return false;431}432433if (idpExt != null) {434DistributionPointName idpPoint = (DistributionPointName)435idpExt.get(IssuingDistributionPointExtension.POINT);436if (idpPoint != null) {437GeneralNames idpNames = idpPoint.getFullName();438if (idpNames == null) {439RDN relativeName = idpPoint.getRelativeName();440if (relativeName == null) {441if (debug != null) {442debug.println("IDP must be relative or full DN");443}444return false;445}446if (debug != null) {447debug.println("IDP relativeName:" + relativeName);448}449idpNames = getFullNames(crlIssuer, relativeName);450}451// if the DP name is present in the IDP CRL extension and the452// DP field is present in the DP, then verify that one of the453// names in the IDP matches one of the names in the DP454if (point.getFullName() != null ||455point.getRelativeName() != null) {456GeneralNames pointNames = point.getFullName();457if (pointNames == null) {458RDN relativeName = point.getRelativeName();459if (relativeName == null) {460if (debug != null) {461debug.println("DP must be relative or full DN");462}463return false;464}465if (debug != null) {466debug.println("DP relativeName:" + relativeName);467}468if (indirectCRL) {469if (pointCrlIssuers.size() != 1) {470// RFC 5280: there must be only 1 CRL issuer471// name when relativeName is present472if (debug != null) {473debug.println("must only be one CRL " +474"issuer when relative name present");475}476return false;477}478pointNames = getFullNames479(pointCrlIssuer, relativeName);480} else {481pointNames = getFullNames(certIssuer, relativeName);482}483}484boolean match = false;485for (Iterator<GeneralName> i = idpNames.iterator();486!match && i.hasNext(); ) {487GeneralNameInterface idpName = i.next().getName();488if (debug != null) {489debug.println("idpName: " + idpName);490}491for (Iterator<GeneralName> p = pointNames.iterator();492!match && p.hasNext(); ) {493GeneralNameInterface pointName = p.next().getName();494if (debug != null) {495debug.println("pointName: " + pointName);496}497match = idpName.equals(pointName);498}499}500if (!match) {501if (debug != null) {502debug.println("IDP name does not match DP name");503}504return false;505}506// if the DP name is present in the IDP CRL extension and the507// DP field is absent from the DP, then verify that one of the508// names in the IDP matches one of the names in the crlIssuer509// field of the DP510} else {511// verify that one of the names in the IDP matches one of512// the names in the cRLIssuer of the cert's DP513boolean match = false;514for (Iterator<GeneralName> t = pointCrlIssuers.iterator();515!match && t.hasNext(); ) {516GeneralNameInterface crlIssuerName = t.next().getName();517for (Iterator<GeneralName> i = idpNames.iterator();518!match && i.hasNext(); ) {519GeneralNameInterface idpName = i.next().getName();520match = crlIssuerName.equals(idpName);521}522}523if (!match) {524return false;525}526}527}528529// if the onlyContainsUserCerts boolean is asserted, verify that the530// cert is not a CA cert531Boolean b = (Boolean)532idpExt.get(IssuingDistributionPointExtension.ONLY_USER_CERTS);533if (b.equals(Boolean.TRUE) && certImpl.getBasicConstraints() != -1) {534if (debug != null) {535debug.println("cert must be a EE cert");536}537return false;538}539540// if the onlyContainsCACerts boolean is asserted, verify that the541// cert is a CA cert542b = (Boolean)543idpExt.get(IssuingDistributionPointExtension.ONLY_CA_CERTS);544if (b.equals(Boolean.TRUE) && certImpl.getBasicConstraints() == -1) {545if (debug != null) {546debug.println("cert must be a CA cert");547}548return false;549}550551// verify that the onlyContainsAttributeCerts boolean is not552// asserted553b = (Boolean) idpExt.get554(IssuingDistributionPointExtension.ONLY_ATTRIBUTE_CERTS);555if (b.equals(Boolean.TRUE)) {556if (debug != null) {557debug.println("cert must not be an AA cert");558}559return false;560}561}562563// compute interim reasons mask564boolean[] interimReasonsMask = new boolean[9];565ReasonFlags reasons = null;566if (idpExt != null) {567reasons = (ReasonFlags)568idpExt.get(IssuingDistributionPointExtension.REASONS);569}570571boolean[] pointReasonFlags = point.getReasonFlags();572if (reasons != null) {573if (pointReasonFlags != null) {574// set interim reasons mask to the intersection of575// reasons in the DP and onlySomeReasons in the IDP576boolean[] idpReasonFlags = reasons.getFlags();577for (int i = 0; i < interimReasonsMask.length; i++) {578interimReasonsMask[i] =579(i < idpReasonFlags.length && idpReasonFlags[i]) &&580(i < pointReasonFlags.length && pointReasonFlags[i]);581}582} else {583// set interim reasons mask to the value of584// onlySomeReasons in the IDP (and clone it since we may585// modify it)586interimReasonsMask = reasons.getFlags().clone();587}588} else if (idpExt == null || reasons == null) {589if (pointReasonFlags != null) {590// set interim reasons mask to the value of DP reasons591interimReasonsMask = pointReasonFlags.clone();592} else {593// set interim reasons mask to the special value all-reasons594Arrays.fill(interimReasonsMask, true);595}596}597598// verify that interim reasons mask includes one or more reasons599// not included in the reasons mask600boolean oneOrMore = false;601for (int i = 0; i < interimReasonsMask.length && !oneOrMore; i++) {602if (interimReasonsMask[i] &&603!(i < reasonsMask.length && reasonsMask[i]))604{605oneOrMore = true;606}607}608if (!oneOrMore) {609return false;610}611612// Obtain and validate the certification path for the complete613// CRL issuer (if indirect CRL). If a key usage extension is present614// in the CRL issuer's certificate, verify that the cRLSign bit is set.615if (indirectCRL) {616X509CertSelector certSel = new X509CertSelector();617certSel.setSubject(crlIssuer.asX500Principal());618boolean[] crlSign = {false,false,false,false,false,false,true};619certSel.setKeyUsage(crlSign);620621// Currently by default, forward builder does not enable622// subject/authority key identifier identifying for target623// certificate, instead, it only compares the CRL issuer and624// the target certificate subject. If the certificate of the625// delegated CRL issuer is a self-issued certificate, the626// builder is unable to find the proper CRL issuer by issuer627// name only, there is a potential dead loop on finding the628// proper issuer. It is of great help to narrow the target629// scope down to aware of authority key identifiers in the630// selector, for the purposes of breaking the dead loop.631AuthorityKeyIdentifierExtension akidext =632crlImpl.getAuthKeyIdExtension();633if (akidext != null) {634byte[] kid = akidext.getEncodedKeyIdentifier();635if (kid != null) {636certSel.setSubjectKeyIdentifier(kid);637}638639SerialNumber asn = (SerialNumber)akidext.get(640AuthorityKeyIdentifierExtension.SERIAL_NUMBER);641if (asn != null) {642certSel.setSerialNumber(asn.getNumber());643}644// the subject criterion will be set by builder automatically.645}646647// By now, we have validated the previous certificate, so we can648// trust it during the validation of the CRL issuer.649// In addition to the performance improvement, another benefit is to650// break the dead loop while looking for the issuer back and forth651// between the delegated self-issued certificate and its issuer.652Set<TrustAnchor> newTrustAnchors = new HashSet<>(trustAnchors);653654if (prevKey != null) {655// Add the previous certificate as a trust anchor.656// If prevCert is not null, we want to construct a TrustAnchor657// using the cert object because when the certpath for the CRL658// is built later, the CertSelector will make comparisons with659// the TrustAnchor's trustedCert member rather than its pubKey.660TrustAnchor temporary;661if (prevCert != null) {662temporary = new TrustAnchor(prevCert, null);663} else {664X500Principal principal = certImpl.getIssuerX500Principal();665temporary = new TrustAnchor(principal, prevKey, null);666}667newTrustAnchors.add(temporary);668}669670PKIXBuilderParameters params = null;671try {672params = new PKIXBuilderParameters(newTrustAnchors, certSel);673} catch (InvalidAlgorithmParameterException iape) {674throw new CRLException(iape);675}676params.setCertStores(certStores);677params.setSigProvider(provider);678params.setDate(validity);679try {680CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");681PKIXCertPathBuilderResult result =682(PKIXCertPathBuilderResult) builder.build(params);683prevKey = result.getPublicKey();684} catch (GeneralSecurityException e) {685throw new CRLException(e);686}687}688689// check the crl signature algorithm690try {691AlgorithmChecker.check(prevKey, crl, variant, anchor);692} catch (CertPathValidatorException cpve) {693if (debug != null) {694debug.println("CRL signature algorithm check failed: " + cpve);695}696return false;697}698699// validate the signature on the CRL700try {701crl.verify(prevKey, provider);702} catch (GeneralSecurityException e) {703if (debug != null) {704debug.println("CRL signature failed to verify");705}706return false;707}708709// reject CRL if any unresolved critical extensions remain in the CRL.710Set<String> unresCritExts = crl.getCriticalExtensionOIDs();711// remove any that we have processed712if (unresCritExts != null) {713unresCritExts.remove(IssuingDistributionPoint_Id.toString());714if (!unresCritExts.isEmpty()) {715if (debug != null) {716debug.println("Unrecognized critical extension(s) in CRL: "717+ unresCritExts);718for (String ext : unresCritExts) {719debug.println(ext);720}721}722return false;723}724}725726// update reasonsMask727for (int i = 0; i < reasonsMask.length; i++) {728reasonsMask[i] = reasonsMask[i] ||729(i < interimReasonsMask.length && interimReasonsMask[i]);730}731732return true;733}734735/**736* Append relative name to the issuer name and return a new737* GeneralNames object.738*/739private static GeneralNames getFullNames(X500Name issuer, RDN rdn)740throws IOException741{742List<RDN> rdns = new ArrayList<>(issuer.rdns());743rdns.add(rdn);744X500Name fullName = new X500Name(rdns.toArray(new RDN[0]));745GeneralNames fullNames = new GeneralNames();746fullNames.add(new GeneralName(fullName));747return fullNames;748}749750/**751* Verifies whether a CRL is issued by a certain certificate752*753* @param cert the certificate754* @param crl the CRL to be verified755* @param provider the name of the signature provider756*/757private static boolean issues(X509CertImpl cert, X509CRLImpl crl,758String provider) throws IOException759{760boolean matched = false;761762AdaptableX509CertSelector issuerSelector =763new AdaptableX509CertSelector();764765// check certificate's key usage766boolean[] usages = cert.getKeyUsage();767if (usages != null) {768usages[6] = true; // cRLSign769issuerSelector.setKeyUsage(usages);770}771772// check certificate's subject773X500Principal crlIssuer = crl.getIssuerX500Principal();774issuerSelector.setSubject(crlIssuer);775776/*777* Facilitate certification path construction with authority778* key identifier and subject key identifier.779*780* In practice, conforming CAs MUST use the key identifier method,781* and MUST include authority key identifier extension in all CRLs782* issued. [section 5.2.1, RFC 2459]783*/784AuthorityKeyIdentifierExtension crlAKID = crl.getAuthKeyIdExtension();785issuerSelector.setSkiAndSerialNumber(crlAKID);786787matched = issuerSelector.match(cert);788789// if AKID is unreliable, verify the CRL signature with the cert790if (matched && (crlAKID == null ||791cert.getAuthorityKeyIdentifierExtension() == null)) {792try {793crl.verify(cert.getPublicKey(), provider);794matched = true;795} catch (GeneralSecurityException e) {796matched = false;797}798}799800return matched;801}802}803804805