diff --git a/fine-bouncycastle/readme.md b/fine-bouncycastle/readme.md
index 7e179b705..ee3d0f005 100644
--- a/fine-bouncycastle/readme.md
+++ b/fine-bouncycastle/readme.md
@@ -1,2 +1,2 @@
-版本:1.67
+版本:1.68
源码:https://www.bouncycastle.org/latest_releases.html
\ No newline at end of file
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/LICENSE.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/LICENSE.java
index 80f1fd5e4..1b76350fd 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/LICENSE.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/LICENSE.java
@@ -5,7 +5,7 @@ import com.fr.third.org.bouncycastle.util.Strings;
/**
* The Bouncy Castle License
*
- * Copyright (c) 2000-2019 The Legion Of The Bouncy Castle Inc. (http://www.bouncycastle.org)
+ * Copyright (c) 2000-2021 The Legion Of The Bouncy Castle Inc. (https://www.bouncycastle.org)
*
* Permission is hereby granted, free of charge, to any person obtaining a copy of this software * and associated documentation files (the "Software"), to deal in the Software without restriction, @@ -26,7 +26,7 @@ import com.fr.third.org.bouncycastle.util.Strings; public class LICENSE { public static final String licenseText = - "Copyright (c) 2000-2019 The Legion of the Bouncy Castle Inc. (http://www.bouncycastle.org) " + "Copyright (c) 2000-2021 The Legion of the Bouncy Castle Inc. (https://www.bouncycastle.org) " + Strings.lineSeparator() + Strings.lineSeparator() + "Permission is hereby granted, free of charge, to any person obtaining a copy of this software " diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/BERGenerator.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/BERGenerator.java index 41d0e5bb6..57aec4ca6 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/BERGenerator.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/BERGenerator.java @@ -7,8 +7,7 @@ import java.io.OutputStream; * Base class for generators for indefinite-length structures. */ public class BERGenerator - extends - ASN1Generator + extends ASN1Generator { private boolean _tagged = false; private boolean _isExplicit; diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/DERSequence.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/DERSequence.java index 970c3d091..192d99387 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/DERSequence.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/DERSequence.java @@ -1,7 +1,6 @@ package com.fr.third.org.bouncycastle.asn1; import java.io.IOException; -import java.io.OutputStream; /** * Definite length SEQUENCE, encoding tells explicit number of bytes diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/DERSet.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/DERSet.java index 9149201be..a90f8d532 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/DERSet.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/DERSet.java @@ -1,7 +1,6 @@ package com.fr.third.org.bouncycastle.asn1; import java.io.IOException; -import java.io.OutputStream; /** * A DER encoded SET object diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/Attribute.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/Attribute.java index 736d60a3a..a0ee76456 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/Attribute.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/Attribute.java @@ -10,7 +10,7 @@ import com.fr.third.org.bouncycastle.asn1.ASN1Set; import com.fr.third.org.bouncycastle.asn1.DERSequence; /** - * RFC 5652: + * RFC 5652: * Attribute is a pair of OID (as type identifier) + set of values. *
*
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/Attributes.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/Attributes.java index 4161404d7..5722a3af9 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/Attributes.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/Attributes.java @@ -8,7 +8,7 @@ import com.fr.third.org.bouncycastle.asn1.ASN1TaggedObject; import com.fr.third.org.bouncycastle.asn1.DLSet; /** - * RFC 5652 defines + * RFC 5652 defines * 5 "SET OF Attribute" entities with 5 different names. * This is common implementation for them all: *diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/AuthEnvelopedData.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/AuthEnvelopedData.java index 796bcd4a2..0277c7a3d 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/AuthEnvelopedData.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/AuthEnvelopedData.java @@ -12,7 +12,7 @@ import com.fr.third.org.bouncycastle.asn1.BERSequence; import com.fr.third.org.bouncycastle.asn1.DERTaggedObject; /** - * RFC 5083: + * RFC 5083: * * CMS AuthEnveloped Data object. *diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/AuthenticatedData.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/AuthenticatedData.java index d4847fe5e..eb12b0850 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/AuthenticatedData.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/AuthenticatedData.java @@ -15,7 +15,7 @@ import com.fr.third.org.bouncycastle.asn1.DERTaggedObject; import com.fr.third.org.bouncycastle.asn1.x509.AlgorithmIdentifier; /** - * RFC 5652 section 9.1: + * RFC 5652 section 9.1: * The AuthenticatedData carries AuthAttributes and other data * which define what really is being signed. *
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/CCMParameters.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/CCMParameters.java index affeb25a6..e6d4e80e8 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/CCMParameters.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/CCMParameters.java @@ -11,7 +11,7 @@ import com.fr.third.org.bouncycastle.asn1.DERSequence; import com.fr.third.org.bouncycastle.util.Arrays; /** - * RFC 5084: CCMParameters object. + * RFC 5084: CCMParameters object. **
CCMParameters ::= SEQUENCE { diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/CMSAttributes.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/CMSAttributes.java index b48563f67..6861bf728 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/CMSAttributes.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/CMSAttributes.java @@ -5,8 +5,8 @@ import com.fr.third.org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; /** - * RFC 5652 CMS attribute OID constants. - * and RFC 6211 Algorithm Identifier Protection Attribute. + * RFC 5652 CMS attribute OID constants. + * and RFC 6211 Algorithm Identifier Protection Attribute. ** contentType ::= 1.2.840.113549.1.9.3 * messageDigest ::= 1.2.840.113549.1.9.4 @@ -28,7 +28,7 @@ public interface CMSAttributes ASN1ObjectIdentifier signingTime = PKCSObjectIdentifiers.pkcs_9_at_signingTime; /** PKCS#9: 1.2.840.113549.1.9.6 */ ASN1ObjectIdentifier counterSignature = PKCSObjectIdentifiers.pkcs_9_at_counterSignature; - /** PKCS#9: 1.2.840.113549.1.9.16.6.2.4 - See RFC 2634 */ + /** PKCS#9: 1.2.840.113549.1.9.16.6.2.4 - See RFC 2634 */ ASN1ObjectIdentifier contentHint = PKCSObjectIdentifiers.id_aa_contentHint; ASN1ObjectIdentifier cmsAlgorithmProtect = PKCSObjectIdentifiers.id_aa_cmsAlgorithmProtect; diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/CompressedData.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/CompressedData.java index 9d916c352..53b09a9df 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/CompressedData.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/CompressedData.java @@ -10,7 +10,7 @@ import com.fr.third.org.bouncycastle.asn1.BERSequence; import com.fr.third.org.bouncycastle.asn1.x509.AlgorithmIdentifier; /** - * RFC 3274: CMS Compressed Data. + * RFC 3274: CMS Compressed Data. * ** CompressedData ::= SEQUENCE { diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/CompressedDataParser.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/CompressedDataParser.java index 8845236d3..9674ff835 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/CompressedDataParser.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/CompressedDataParser.java @@ -7,7 +7,7 @@ import com.fr.third.org.bouncycastle.asn1.ASN1SequenceParser; import com.fr.third.org.bouncycastle.asn1.x509.AlgorithmIdentifier; /** - * Parser of RFC 3274 {@link CompressedData} object. + * Parser of RFC 3274 {@link CompressedData} object. **
* CompressedData ::= SEQUENCE { diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/ContentInfo.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/ContentInfo.java index 65c5fbd4e..fc3d94492 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/ContentInfo.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/ContentInfo.java @@ -11,8 +11,8 @@ import com.fr.third.org.bouncycastle.asn1.BERSequence; import com.fr.third.org.bouncycastle.asn1.BERTaggedObject; /** - * RFC 5652 ContentInfo, and - * RFC 5652 EncapsulatedContentInfo objects. + * RFC 5652 ContentInfo, and + * RFC 5652 EncapsulatedContentInfo objects. * ** ContentInfo ::= SEQUENCE { diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/ContentInfoParser.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/ContentInfoParser.java index 6912b2216..dbe0fd641 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/ContentInfoParser.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/ContentInfoParser.java @@ -8,7 +8,7 @@ import com.fr.third.org.bouncycastle.asn1.ASN1SequenceParser; import com.fr.third.org.bouncycastle.asn1.ASN1TaggedObjectParser; /** - * RFC 5652 {@link ContentInfo} object parser. + * RFC 5652 {@link ContentInfo} object parser. * ** ContentInfo ::= SEQUENCE { diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/DigestedData.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/DigestedData.java index 1c328c4ec..e06250022 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/DigestedData.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/DigestedData.java @@ -12,7 +12,7 @@ import com.fr.third.org.bouncycastle.asn1.DEROctetString; import com.fr.third.org.bouncycastle.asn1.x509.AlgorithmIdentifier; /** - * RFC 5652 DigestedData object. + * RFC 5652 DigestedData object. ** DigestedData ::= SEQUENCE { * version CMSVersion, diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/EncryptedContentInfo.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/EncryptedContentInfo.java index 0e2361af9..897bdbac9 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/EncryptedContentInfo.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/EncryptedContentInfo.java @@ -12,7 +12,7 @@ import com.fr.third.org.bouncycastle.asn1.BERTaggedObject; import com.fr.third.org.bouncycastle.asn1.x509.AlgorithmIdentifier; /** - * RFC 5652 EncryptedContentInfo object. + * RFC 5652 EncryptedContentInfo object. * ** EncryptedContentInfo ::= SEQUENCE { diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/EncryptedContentInfoParser.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/EncryptedContentInfoParser.java index 44193af02..842c75b4e 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/EncryptedContentInfoParser.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/EncryptedContentInfoParser.java @@ -9,7 +9,7 @@ import com.fr.third.org.bouncycastle.asn1.ASN1TaggedObjectParser; import com.fr.third.org.bouncycastle.asn1.x509.AlgorithmIdentifier; /** - * Parser for RFC 5652 EncryptedContentInfo object. + * Parser for RFC 5652 EncryptedContentInfo object. **
* EncryptedContentInfo ::= SEQUENCE { diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/EncryptedData.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/EncryptedData.java index c06081002..6fc3f63c6 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/EncryptedData.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/EncryptedData.java @@ -11,7 +11,7 @@ import com.fr.third.org.bouncycastle.asn1.BERSequence; import com.fr.third.org.bouncycastle.asn1.BERTaggedObject; /** - * RFC 5652 EncryptedData object. + * RFC 5652 EncryptedData object. **
* EncryptedData ::= SEQUENCE { diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/EnvelopedData.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/EnvelopedData.java index a5e2c955e..ac92880ca 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/EnvelopedData.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/EnvelopedData.java @@ -13,7 +13,7 @@ import com.fr.third.org.bouncycastle.asn1.BERSequence; import com.fr.third.org.bouncycastle.asn1.DERTaggedObject; /** - * RFC 5652 EnvelopedData object. + * RFC 5652 EnvelopedData object. ** EnvelopedData ::= SEQUENCE { * version CMSVersion, diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/EnvelopedDataParser.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/EnvelopedDataParser.java index ff12c1a4b..90304a818 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/EnvelopedDataParser.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/EnvelopedDataParser.java @@ -10,7 +10,7 @@ import com.fr.third.org.bouncycastle.asn1.ASN1TaggedObjectParser; import com.fr.third.org.bouncycastle.asn1.BERTags; /** - * Parser of RFC 5652 {@link EnvelopedData} object. + * Parser of RFC 5652 {@link EnvelopedData} object. **
* EnvelopedData ::= SEQUENCE { diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/Evidence.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/Evidence.java index 7238506ad..558c82c2a 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/Evidence.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/Evidence.java @@ -9,7 +9,7 @@ import com.fr.third.org.bouncycastle.asn1.DERTaggedObject; import com.fr.third.org.bouncycastle.asn1.tsp.EvidenceRecord; /** - * RFC 5544: + * RFC 5544: * Binding Documents with Time-Stamps; Evidence object. **
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/GCMParameters.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/GCMParameters.java index 0bcd25c6a..3ca6d47bd 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/GCMParameters.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/GCMParameters.java @@ -11,7 +11,7 @@ import com.fr.third.org.bouncycastle.asn1.DERSequence; import com.fr.third.org.bouncycastle.util.Arrays; /** - * RFC 5084: GCMParameters object. + * RFC 5084: GCMParameters object. **
GCMParameters ::= SEQUENCE { diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/IssuerAndSerialNumber.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/IssuerAndSerialNumber.java index 6f08e319d..d77862a54 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/IssuerAndSerialNumber.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/IssuerAndSerialNumber.java @@ -14,7 +14,7 @@ import com.fr.third.org.bouncycastle.asn1.x509.X509CertificateStructure; import com.fr.third.org.bouncycastle.asn1.x509.X509Name; /** - * RFC 5652: IssuerAndSerialNumber object. + * RFC 5652: IssuerAndSerialNumber object. **
* IssuerAndSerialNumber ::= SEQUENCE { diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/KEKIdentifier.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/KEKIdentifier.java index 94c8fecaf..415761c6e 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/KEKIdentifier.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/KEKIdentifier.java @@ -11,7 +11,7 @@ import com.fr.third.org.bouncycastle.asn1.DEROctetString; import com.fr.third.org.bouncycastle.asn1.DERSequence; /** - * RFC 5652: + * RFC 5652: * Content encryption key delivery mechanisms. **
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/KEKRecipientInfo.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/KEKRecipientInfo.java index 551c6c658..4bfd14cc2 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/KEKRecipientInfo.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/KEKRecipientInfo.java @@ -11,7 +11,7 @@ import com.fr.third.org.bouncycastle.asn1.DERSequence; import com.fr.third.org.bouncycastle.asn1.x509.AlgorithmIdentifier; /** - * RFC 5652: + * RFC 5652: * Content encryption key delivery mechanisms. **
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/KeyAgreeRecipientIdentifier.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/KeyAgreeRecipientIdentifier.java index ea07a8400..a81bbf51b 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/KeyAgreeRecipientIdentifier.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/KeyAgreeRecipientIdentifier.java @@ -8,7 +8,7 @@ import com.fr.third.org.bouncycastle.asn1.ASN1TaggedObject; import com.fr.third.org.bouncycastle.asn1.DERTaggedObject; /** - * RFC 5652: + * RFC 5652: * Content encryption key delivery mechanisms. **
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/KeyAgreeRecipientInfo.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/KeyAgreeRecipientInfo.java index 8912d0878..7da53fd84 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/KeyAgreeRecipientInfo.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/KeyAgreeRecipientInfo.java @@ -12,7 +12,7 @@ import com.fr.third.org.bouncycastle.asn1.DERTaggedObject; import com.fr.third.org.bouncycastle.asn1.x509.AlgorithmIdentifier; /** - * RFC 5652: + * RFC 5652: * Content encryption key delivery mechanisms. **
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/KeyTransRecipientInfo.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/KeyTransRecipientInfo.java index cc9daa790..4f0a0d3b5 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/KeyTransRecipientInfo.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/KeyTransRecipientInfo.java @@ -11,7 +11,7 @@ import com.fr.third.org.bouncycastle.asn1.DERSequence; import com.fr.third.org.bouncycastle.asn1.x509.AlgorithmIdentifier; /** - * RFC 5652: + * RFC 5652: * Content encryption key delivery mechanisms. ** KeyTransRecipientInfo ::= SEQUENCE { diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/MetaData.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/MetaData.java index dc29a4e20..e126f6650 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/MetaData.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/MetaData.java @@ -10,7 +10,7 @@ import com.fr.third.org.bouncycastle.asn1.DERSequence; import com.fr.third.org.bouncycastle.asn1.DERUTF8String; /** - * RFC 5544: + * RFC 5544: * Binding Documents with Time-Stamps; MetaData object. **
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OriginatorIdentifierOrKey.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OriginatorIdentifierOrKey.java index 55aa47727..dc5c13c99 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OriginatorIdentifierOrKey.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OriginatorIdentifierOrKey.java @@ -11,7 +11,7 @@ import com.fr.third.org.bouncycastle.asn1.DERTaggedObject; import com.fr.third.org.bouncycastle.asn1.x509.SubjectKeyIdentifier; /** - * RFC 5652: + * RFC 5652: * Content encryption key delivery mechanisms. ** OriginatorIdentifierOrKey ::= CHOICE { diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OriginatorInfo.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OriginatorInfo.java index 6cfdfe95f..a2b4b752d 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OriginatorInfo.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OriginatorInfo.java @@ -10,7 +10,7 @@ import com.fr.third.org.bouncycastle.asn1.DERSequence; import com.fr.third.org.bouncycastle.asn1.DERTaggedObject; /** - * RFC 5652: OriginatorInfo object. + * RFC 5652: OriginatorInfo object. ** RFC 3369: * diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OriginatorPublicKey.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OriginatorPublicKey.java index 6714f6bd6..887c31f59 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OriginatorPublicKey.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OriginatorPublicKey.java @@ -10,7 +10,7 @@ import com.fr.third.org.bouncycastle.asn1.DERSequence; import com.fr.third.org.bouncycastle.asn1.x509.AlgorithmIdentifier; /** - * RFC 5652: + * RFC 5652: * Content encryption key delivery mechanisms. **
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OtherKeyAttribute.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OtherKeyAttribute.java index 67d0ebb7c..b254ff498 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OtherKeyAttribute.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OtherKeyAttribute.java @@ -9,7 +9,7 @@ import com.fr.third.org.bouncycastle.asn1.ASN1Sequence; import com.fr.third.org.bouncycastle.asn1.DERSequence; /** - * RFC 5652: OtherKeyAttribute object. + * RFC 5652: OtherKeyAttribute object. **
* OtherKeyAttribute ::= SEQUENCE { diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OtherRecipientInfo.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OtherRecipientInfo.java index bc857aecf..7fc989b71 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OtherRecipientInfo.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OtherRecipientInfo.java @@ -10,7 +10,7 @@ import com.fr.third.org.bouncycastle.asn1.ASN1TaggedObject; import com.fr.third.org.bouncycastle.asn1.DERSequence; /** - * RFC 5652: + * RFC 5652: * Content encryption key delivery mechanisms. ** OtherRecipientInfo ::= SEQUENCE { diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OtherRevocationInfoFormat.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OtherRevocationInfoFormat.java index 4a039ebd2..f87e56a32 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OtherRevocationInfoFormat.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OtherRevocationInfoFormat.java @@ -10,7 +10,7 @@ import com.fr.third.org.bouncycastle.asn1.ASN1TaggedObject; import com.fr.third.org.bouncycastle.asn1.DERSequence; /** - * RFC 5652: OtherRevocationInfoFormat object. + * RFC 5652: OtherRevocationInfoFormat object. **
* OtherRevocationInfoFormat ::= SEQUENCE { diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/PasswordRecipientInfo.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/PasswordRecipientInfo.java index d72d25876..4210c4774 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/PasswordRecipientInfo.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/PasswordRecipientInfo.java @@ -12,7 +12,7 @@ import com.fr.third.org.bouncycastle.asn1.DERTaggedObject; import com.fr.third.org.bouncycastle.asn1.x509.AlgorithmIdentifier; /** - * RFC 5652: + * RFC 5652: * Content encryption key delivery mechanisms. ** PasswordRecipientInfo ::= SEQUENCE { diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/RecipientEncryptedKey.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/RecipientEncryptedKey.java index 92dae9c1a..157e3a3c8 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/RecipientEncryptedKey.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/RecipientEncryptedKey.java @@ -9,7 +9,7 @@ import com.fr.third.org.bouncycastle.asn1.ASN1TaggedObject; import com.fr.third.org.bouncycastle.asn1.DERSequence; /** - * RFC 5652: + * RFC 5652: * Content encryption key delivery mechanisms. ** RecipientEncryptedKey ::= SEQUENCE { diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/RecipientIdentifier.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/RecipientIdentifier.java index 753c675c3..035a6a80f 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/RecipientIdentifier.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/RecipientIdentifier.java @@ -9,7 +9,7 @@ import com.fr.third.org.bouncycastle.asn1.ASN1TaggedObject; import com.fr.third.org.bouncycastle.asn1.DERTaggedObject; /** - * RFC 5652: + * RFC 5652: * Content encryption key delivery mechanisms. ** RecipientIdentifier ::= CHOICE { diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/RecipientInfo.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/RecipientInfo.java index 4733eb342..9b10695e0 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/RecipientInfo.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/RecipientInfo.java @@ -10,7 +10,7 @@ import com.fr.third.org.bouncycastle.asn1.ASN1TaggedObject; import com.fr.third.org.bouncycastle.asn1.DERTaggedObject; /** - * RFC 5652: + * RFC 5652: * Content encryption key delivery mechanisms. **
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/RecipientKeyIdentifier.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/RecipientKeyIdentifier.java index 8304b5341..9543fcc6a 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/RecipientKeyIdentifier.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/RecipientKeyIdentifier.java @@ -11,7 +11,7 @@ import com.fr.third.org.bouncycastle.asn1.DEROctetString; import com.fr.third.org.bouncycastle.asn1.DERSequence; /** - * RFC 5652: + * RFC 5652: * Content encryption key delivery mechanisms. **
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/SCVPReqRes.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/SCVPReqRes.java index ec33d531d..c1db368c5 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/SCVPReqRes.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/SCVPReqRes.java @@ -9,7 +9,7 @@ import com.fr.third.org.bouncycastle.asn1.DERSequence; import com.fr.third.org.bouncycastle.asn1.DERTaggedObject; /** - * RFC 5940: + * RFC 5940: * Additional Cryptographic Message Syntax (CMS) Revocation Information Choices. **
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/SignedData.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/SignedData.java index 3276aad7b..937f48f56 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/SignedData.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/SignedData.java @@ -16,7 +16,7 @@ import com.fr.third.org.bouncycastle.asn1.BERTaggedObject; import com.fr.third.org.bouncycastle.asn1.DERTaggedObject; /** - * RFC 5652: + * RFC 5652: ** A signed data object containing multitude of {@link SignerInfo}s. *
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/SignedDataParser.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/SignedDataParser.java index 1c13937d1..b4829fc68 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/SignedDataParser.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/SignedDataParser.java @@ -11,7 +11,7 @@ import com.fr.third.org.bouncycastle.asn1.ASN1TaggedObjectParser; import com.fr.third.org.bouncycastle.asn1.BERTags; /** - * Parser for RFC 5652: {@link SignedData} object. + * Parser for RFC 5652: {@link SignedData} object. **
* SignedData ::= SEQUENCE { diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/SignerIdentifier.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/SignerIdentifier.java index 976ef020b..57cd187c4 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/SignerIdentifier.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/SignerIdentifier.java @@ -9,7 +9,7 @@ import com.fr.third.org.bouncycastle.asn1.ASN1TaggedObject; import com.fr.third.org.bouncycastle.asn1.DERTaggedObject; /** - * RFC 5652: + * RFC 5652: * Identify who signed the containing {@link SignerInfo} object. ** The certificates referred to by this are at containing {@link SignedData} structure. diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/SignerInfo.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/SignerInfo.java index 48363186f..d2b5fe499 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/SignerInfo.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/SignerInfo.java @@ -16,7 +16,7 @@ import com.fr.third.org.bouncycastle.asn1.DERTaggedObject; import com.fr.third.org.bouncycastle.asn1.x509.AlgorithmIdentifier; /** - * RFC 5652: + * RFC 5652: * Signature container per Signer, see {@link SignerIdentifier}. *
* PKCS#7: diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/Time.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/Time.java index 4cab5fa02..9f3ce7317 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/Time.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/Time.java @@ -16,7 +16,7 @@ import com.fr.third.org.bouncycastle.asn1.DERGeneralizedTime; import com.fr.third.org.bouncycastle.asn1.DERUTCTime; /** - * RFC 5652: + * RFC 5652: * Dual-mode timestamp format producing either UTCTIme or GeneralizedTime. **
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/TimeStampAndCRL.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/TimeStampAndCRL.java index 60fd27a4e..7132fb145 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/TimeStampAndCRL.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/TimeStampAndCRL.java @@ -8,7 +8,7 @@ import com.fr.third.org.bouncycastle.asn1.DERSequence; import com.fr.third.org.bouncycastle.asn1.x509.CertificateList; /** - * RFC 5544 + * RFC 5544 * Binding Documents with Time-Stamps; TimeStampAndCRL object. ** TimeStampAndCRL ::= SEQUENCE { diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/TimeStampTokenEvidence.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/TimeStampTokenEvidence.java index 9bb70b8fb..7887c3dc5 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/TimeStampTokenEvidence.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/TimeStampTokenEvidence.java @@ -10,7 +10,7 @@ import com.fr.third.org.bouncycastle.asn1.ASN1TaggedObject; import com.fr.third.org.bouncycastle.asn1.DERSequence; /** - * RFC 5544 + * RFC 5544 * Binding Documents with Time-Stamps; TimeStampTokenEvidence object. ** TimeStampTokenEvidence ::= diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/TimeStampedData.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/TimeStampedData.java index 0cd3cb5d7..24a22e5c1 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/TimeStampedData.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/TimeStampedData.java @@ -10,7 +10,7 @@ import com.fr.third.org.bouncycastle.asn1.BERSequence; import com.fr.third.org.bouncycastle.asn1.DERIA5String; /** - * RFC 5544: + * RFC 5544: * Binding Documents with Time-Stamps; TimeStampedData object. **
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/TimeStampedDataParser.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/TimeStampedDataParser.java index 742b186a3..b15fda126 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/TimeStampedDataParser.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/TimeStampedDataParser.java @@ -10,7 +10,7 @@ import com.fr.third.org.bouncycastle.asn1.ASN1SequenceParser; import com.fr.third.org.bouncycastle.asn1.DERIA5String; /** - * Parser for RFC 5544: + * Parser for RFC 5544: * {@link TimeStampedData} object. **
@@ -71,6 +71,11 @@ public class TimeStampedDataParser return null; } + public int getVersion() + { + return version.getValue().intValue(); + } + public DERIA5String getDataUri() { return dataUri; diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/ecc/MQVuserKeyingMaterial.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/ecc/MQVuserKeyingMaterial.java index 70d0ed3f4..e848906e8 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/ecc/MQVuserKeyingMaterial.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/ecc/MQVuserKeyingMaterial.java @@ -11,7 +11,7 @@ import com.fr.third.org.bouncycastle.asn1.DERTaggedObject; import com.fr.third.org.bouncycastle.asn1.cms.OriginatorPublicKey; /** - * RFC 5753/3278: MQVuserKeyingMaterial object. + * RFC 5753/3278: MQVuserKeyingMaterial object. ** MQVuserKeyingMaterial ::= SEQUENCE { * ephemeralPublicKey OriginatorPublicKey, diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/dvcs/DVCSObjectIdentifiers.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/dvcs/DVCSObjectIdentifiers.java index 08a205070..31792d182 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/dvcs/DVCSObjectIdentifiers.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/dvcs/DVCSObjectIdentifiers.java @@ -3,7 +3,7 @@ package com.fr.third.org.bouncycastle.asn1.dvcs; import com.fr.third.org.bouncycastle.asn1.ASN1ObjectIdentifier; /** - * OIDs for RFC 3029 + * OIDs for RFC 3029 * Data Validation and Certification Server Protocols */ public interface DVCSObjectIdentifiers diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/eac/EACObjectIdentifiers.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/eac/EACObjectIdentifiers.java index 7cf8c5da3..f83cbc1b0 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/eac/EACObjectIdentifiers.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/eac/EACObjectIdentifiers.java @@ -5,7 +5,7 @@ import com.fr.third.org.bouncycastle.asn1.ASN1ObjectIdentifier; /** * German Federal Office for Information Security * (Bundesamt für Sicherheit in der Informationstechnik) - * http://www.bsi.bund.de/ + * https://www.bsi.bund.de/ ** BSI TR-03110 * Technical Guideline Advanced Security Mechanisms for Machine Readable Travel Documents diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/isismtt/x509/AdmissionSyntax.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/isismtt/x509/AdmissionSyntax.java index 37d9e04d5..f469ef666 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/isismtt/x509/AdmissionSyntax.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/isismtt/x509/AdmissionSyntax.java @@ -67,8 +67,8 @@ import com.fr.third.org.bouncycastle.asn1.x509.GeneralName; * component namingAuthorityId are grouped under the OID-branch * id-isis-at-namingAuthorities and must be applied for. *
- * See RFC 4010 + * See RFC 4010 * Use of the SEED Encryption Algorithm * in Cryptographic Message Syntax (CMS), - * and RFC 4269 + * and RFC 4269 * The SEED Encryption Algorithm */ public interface KISAObjectIdentifiers diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/ntt/NTTObjectIdentifiers.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/ntt/NTTObjectIdentifiers.java index b72f3eac0..ea1590cb8 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/ntt/NTTObjectIdentifiers.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/ntt/NTTObjectIdentifiers.java @@ -3,7 +3,7 @@ package com.fr.third.org.bouncycastle.asn1.ntt; import com.fr.third.org.bouncycastle.asn1.ASN1ObjectIdentifier; /** - * From RFC 3657 + * From RFC 3657 * Use of the Camellia Encryption Algorithm * in Cryptographic Message Syntax (CMS) */ diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/ocsp/OCSPObjectIdentifiers.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/ocsp/OCSPObjectIdentifiers.java index 115e632e8..b165c1475 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/ocsp/OCSPObjectIdentifiers.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/ocsp/OCSPObjectIdentifiers.java @@ -3,7 +3,7 @@ package com.fr.third.org.bouncycastle.asn1.ocsp; import com.fr.third.org.bouncycastle.asn1.ASN1ObjectIdentifier; /** - * OIDs for RFC 2560 and RFC 6960 + * OIDs for RFC 2560 and RFC 6960 * Online Certificate Status Protocol - OCSP. */ public interface OCSPObjectIdentifiers diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/pkcs/PKCSObjectIdentifiers.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/pkcs/PKCSObjectIdentifiers.java index bb32dfc4e..f6a6371e6 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/pkcs/PKCSObjectIdentifiers.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/pkcs/PKCSObjectIdentifiers.java @@ -327,7 +327,7 @@ public interface PKCSObjectIdentifiers /** PKCS#9: 1.2.840.113549.1.9.16.2.1 -- smime attribute receiptRequest */ ASN1ObjectIdentifier id_aa_receiptRequest = id_aa.branch("1"); - /** PKCS#9: 1.2.840.113549.1.9.16.2.4 - See RFC 2634 */ + /** PKCS#9: 1.2.840.113549.1.9.16.2.4 - See RFC 2634 */ ASN1ObjectIdentifier id_aa_contentHint = id_aa.branch("4"); // See RFC 2634 /** PKCS#9: 1.2.840.113549.1.9.16.2.5 */ ASN1ObjectIdentifier id_aa_msgSigDigest = id_aa.branch("5"); @@ -344,40 +344,40 @@ public interface PKCSObjectIdentifiers /** PKCS#9: 1.2.840.113549.1.9.16.2.47 */ ASN1ObjectIdentifier id_aa_signingCertificateV2 = id_aa.branch("47"); - /** PKCS#9: 1.2.840.113549.1.9.16.2.7 - See RFC 2634 */ + /** PKCS#9: 1.2.840.113549.1.9.16.2.7 - See RFC 2634 */ ASN1ObjectIdentifier id_aa_contentIdentifier = id_aa.branch("7"); // See RFC 2634 /* * RFC 3126 */ - /** PKCS#9: 1.2.840.113549.1.9.16.2.14 - RFC 3126 */ + /** PKCS#9: 1.2.840.113549.1.9.16.2.14 - RFC 3126 */ ASN1ObjectIdentifier id_aa_signatureTimeStampToken = id_aa.branch("14"); - /** PKCS#9: 1.2.840.113549.1.9.16.2.15 - RFC 3126 */ + /** PKCS#9: 1.2.840.113549.1.9.16.2.15 - RFC 3126 */ ASN1ObjectIdentifier id_aa_ets_sigPolicyId = id_aa.branch("15"); - /** PKCS#9: 1.2.840.113549.1.9.16.2.16 - RFC 3126 */ + /** PKCS#9: 1.2.840.113549.1.9.16.2.16 - RFC 3126 */ ASN1ObjectIdentifier id_aa_ets_commitmentType = id_aa.branch("16"); - /** PKCS#9: 1.2.840.113549.1.9.16.2.17 - RFC 3126 */ + /** PKCS#9: 1.2.840.113549.1.9.16.2.17 - RFC 3126 */ ASN1ObjectIdentifier id_aa_ets_signerLocation = id_aa.branch("17"); - /** PKCS#9: 1.2.840.113549.1.9.16.2.18 - RFC 3126 */ + /** PKCS#9: 1.2.840.113549.1.9.16.2.18 - RFC 3126 */ ASN1ObjectIdentifier id_aa_ets_signerAttr = id_aa.branch("18"); - /** PKCS#9: 1.2.840.113549.1.9.16.6.2.19 - RFC 3126 */ + /** PKCS#9: 1.2.840.113549.1.9.16.6.2.19 - RFC 3126 */ ASN1ObjectIdentifier id_aa_ets_otherSigCert = id_aa.branch("19"); - /** PKCS#9: 1.2.840.113549.1.9.16.2.20 - RFC 3126 */ + /** PKCS#9: 1.2.840.113549.1.9.16.2.20 - RFC 3126 */ ASN1ObjectIdentifier id_aa_ets_contentTimestamp = id_aa.branch("20"); - /** PKCS#9: 1.2.840.113549.1.9.16.2.21 - RFC 3126 */ + /** PKCS#9: 1.2.840.113549.1.9.16.2.21 - RFC 3126 */ ASN1ObjectIdentifier id_aa_ets_certificateRefs = id_aa.branch("21"); - /** PKCS#9: 1.2.840.113549.1.9.16.2.22 - RFC 3126 */ + /** PKCS#9: 1.2.840.113549.1.9.16.2.22 - RFC 3126 */ ASN1ObjectIdentifier id_aa_ets_revocationRefs = id_aa.branch("22"); - /** PKCS#9: 1.2.840.113549.1.9.16.2.23 - RFC 3126 */ + /** PKCS#9: 1.2.840.113549.1.9.16.2.23 - RFC 3126 */ ASN1ObjectIdentifier id_aa_ets_certValues = id_aa.branch("23"); - /** PKCS#9: 1.2.840.113549.1.9.16.2.24 - RFC 3126 */ + /** PKCS#9: 1.2.840.113549.1.9.16.2.24 - RFC 3126 */ ASN1ObjectIdentifier id_aa_ets_revocationValues = id_aa.branch("24"); - /** PKCS#9: 1.2.840.113549.1.9.16.2.25 - RFC 3126 */ + /** PKCS#9: 1.2.840.113549.1.9.16.2.25 - RFC 3126 */ ASN1ObjectIdentifier id_aa_ets_escTimeStamp = id_aa.branch("25"); - /** PKCS#9: 1.2.840.113549.1.9.16.2.26 - RFC 3126 */ + /** PKCS#9: 1.2.840.113549.1.9.16.2.26 - RFC 3126 */ ASN1ObjectIdentifier id_aa_ets_certCRLTimestamp = id_aa.branch("26"); - /** PKCS#9: 1.2.840.113549.1.9.16.2.27 - RFC 3126 */ + /** PKCS#9: 1.2.840.113549.1.9.16.2.27 - RFC 3126 */ ASN1ObjectIdentifier id_aa_ets_archiveTimestamp = id_aa.branch("27"); /** PKCS#9: 1.2.840.113549.1.9.16.2.37 - RFC 4108 */ diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/teletrust/TeleTrusTNamedCurves.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/teletrust/TeleTrusTNamedCurves.java index 109bb95cf..a21938c2e 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/teletrust/TeleTrusTNamedCurves.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/teletrust/TeleTrusTNamedCurves.java @@ -15,7 +15,7 @@ import com.fr.third.org.bouncycastle.util.encoders.Hex; /** * Elliptic curves defined in "ECC Brainpool Standard Curves and Curve Generation" - * http://www.ecc-brainpool.org/download/draft_pkix_additional_ecc_dp.txt + * https://www.ecc-brainpool.org/download/draft_pkix_additional_ecc_dp.txt */ public class TeleTrusTNamedCurves { diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/tsp/ArchiveTimeStamp.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/tsp/ArchiveTimeStamp.java index 9fafde65f..7d14644c9 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/tsp/ArchiveTimeStamp.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/tsp/ArchiveTimeStamp.java @@ -33,10 +33,10 @@ import com.fr.third.org.bouncycastle.asn1.x509.AlgorithmIdentifier; public class ArchiveTimeStamp extends ASN1Object { - private AlgorithmIdentifier digestAlgorithm; - private Attributes attributes; - private ASN1Sequence reducedHashTree; - private ContentInfo timeStamp; + private final AlgorithmIdentifier digestAlgorithm; + private final Attributes attributes; + private final ASN1Sequence reducedHashTree; + private final ContentInfo timeStamp; /** * Return an ArchiveTimestamp from the given object. @@ -64,26 +64,31 @@ public class ArchiveTimeStamp PartialHashtree[] reducedHashTree, ContentInfo timeStamp) { - this.digestAlgorithm = digestAlgorithm; - this.reducedHashTree = new DERSequence(reducedHashTree); - this.timeStamp = timeStamp; + this(digestAlgorithm, null, reducedHashTree, timeStamp); } public ArchiveTimeStamp( - AlgorithmIdentifier digestAlgorithm, - Attributes attributes, - PartialHashtree[] reducedHashTree, ContentInfo timeStamp) { - this.digestAlgorithm = digestAlgorithm; - this.attributes = attributes; - this.reducedHashTree = new DERSequence(reducedHashTree); - this.timeStamp = timeStamp; + this(null, null, null, timeStamp); } public ArchiveTimeStamp( + AlgorithmIdentifier digestAlgorithm, + Attributes attributes, + PartialHashtree[] reducedHashTree, ContentInfo timeStamp) { + this.digestAlgorithm = digestAlgorithm; + this.attributes = attributes; + if (reducedHashTree != null) + { + this.reducedHashTree = new DERSequence(reducedHashTree); + } + else + { + this.reducedHashTree = null; + } this.timeStamp = timeStamp; } @@ -94,6 +99,9 @@ public class ArchiveTimeStamp throw new IllegalArgumentException("wrong sequence size in constructor: " + sequence.size()); } + AlgorithmIdentifier digAlg = null; + Attributes attrs = null; + ASN1Sequence rHashTree = null; for (int i = 0; i < sequence.size() - 1; i++) { Object obj = sequence.getObjectAt(i); @@ -105,13 +113,13 @@ public class ArchiveTimeStamp switch (taggedObject.getTagNo()) { case 0: - digestAlgorithm = AlgorithmIdentifier.getInstance(taggedObject, false); + digAlg = AlgorithmIdentifier.getInstance(taggedObject, false); break; case 1: - attributes = Attributes.getInstance(taggedObject, false); + attrs = Attributes.getInstance(taggedObject, false); break; case 2: - reducedHashTree = ASN1Sequence.getInstance(taggedObject, false); + rHashTree = ASN1Sequence.getInstance(taggedObject, false); break; default: throw new IllegalArgumentException("invalid tag no in constructor: " @@ -120,6 +128,9 @@ public class ArchiveTimeStamp } } + digestAlgorithm = digAlg; + attributes = attrs; + reducedHashTree = rHashTree; timeStamp = ContentInfo.getInstance(sequence.getObjectAt(sequence.size() - 1)); } diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/x500/style/BCStyle.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/x500/style/BCStyle.java index f4537a22b..f4ef1cc63 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/x500/style/BCStyle.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/x500/style/BCStyle.java @@ -76,6 +76,8 @@ public class BCStyle public static final ASN1ObjectIdentifier GENERATION = new ASN1ObjectIdentifier("2.5.4.44").intern(); public static final ASN1ObjectIdentifier UNIQUE_IDENTIFIER = new ASN1ObjectIdentifier("2.5.4.45").intern(); + public static final ASN1ObjectIdentifier DESCRIPTION = new ASN1ObjectIdentifier("2.5.4.13").intern(); + /** * businessCategory - DirectoryString(SIZE(1..128) */ @@ -96,6 +98,7 @@ public class BCStyle */ public static final ASN1ObjectIdentifier PSEUDONYM = new ASN1ObjectIdentifier("2.5.4.65").intern(); + public static final ASN1ObjectIdentifier ROLE = new ASN1ObjectIdentifier("2.5.4.72").intern(); /** * RFC 3039 DateOfBirth - GeneralizedTime - YYYYMMDD000000Z @@ -213,6 +216,8 @@ public class BCStyle DefaultSymbols.put(GIVENNAME, "GIVENNAME"); DefaultSymbols.put(INITIALS, "INITIALS"); DefaultSymbols.put(GENERATION, "GENERATION"); + DefaultSymbols.put(DESCRIPTION, "DESCRIPTION"); + DefaultSymbols.put(ROLE, "ROLE"); DefaultSymbols.put(UnstructuredAddress, "unstructuredAddress"); DefaultSymbols.put(UnstructuredName, "unstructuredName"); DefaultSymbols.put(UNIQUE_IDENTIFIER, "UniqueIdentifier"); @@ -249,6 +254,8 @@ public class BCStyle DefaultLookUp.put("givenname", GIVENNAME); DefaultLookUp.put("initials", INITIALS); DefaultLookUp.put("generation", GENERATION); + DefaultLookUp.put("description", DESCRIPTION); + DefaultLookUp.put("role", ROLE); DefaultLookUp.put("unstructuredaddress", UnstructuredAddress); DefaultLookUp.put("unstructuredname", UnstructuredName); DefaultLookUp.put("uniqueidentifier", UNIQUE_IDENTIFIER); diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/x509/KeyPurposeId.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/x509/KeyPurposeId.java index 1e0c64fe4..083c7585b 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/x509/KeyPurposeId.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/x509/KeyPurposeId.java @@ -123,12 +123,12 @@ public class KeyPurposeId /** - * Microsoft Server Gated Crypto (msSGC) see http://www.alvestrand.no/objectid/1.3.6.1.4.1.311.10.3.3.html + * Microsoft Server Gated Crypto (msSGC) see https://www.alvestrand.no/objectid/1.3.6.1.4.1.311.10.3.3.html */ public static final KeyPurposeId id_kp_msSGC = new KeyPurposeId(new ASN1ObjectIdentifier("1.3.6.1.4.1.311.10.3.3")); /** - * Netscape Server Gated Crypto (nsSGC) see http://www.alvestrand.no/objectid/2.16.840.1.113730.4.1.html + * Netscape Server Gated Crypto (nsSGC) see https://www.alvestrand.no/objectid/2.16.840.1.113730.4.1.html */ public static final KeyPurposeId id_kp_nsSGC = new KeyPurposeId(new ASN1ObjectIdentifier("2.16.840.1.113730.4.1")); diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/x509/PolicyMappings.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/x509/PolicyMappings.java index b3170be73..8bbf6ad70 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/x509/PolicyMappings.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/x509/PolicyMappings.java @@ -18,7 +18,7 @@ import com.fr.third.org.bouncycastle.asn1.DERSequence; * subjectDomainPolicy CertPolicyId } * * - * @see RFC 3280, section 4.2.1.6 + * @see RFC 3280, section 4.2.1.6 */ public class PolicyMappings extends ASN1Object diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/agreement/jpake/JPAKEParticipant.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/agreement/jpake/JPAKEParticipant.java index bab8a60d0..02124493b 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/agreement/jpake/JPAKEParticipant.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/agreement/jpake/JPAKEParticipant.java @@ -49,7 +49,7 @@ import com.fr.third.org.bouncycastle.util.Arrays; * These are the trivial techniques to optimize the communication. *
* The key confirmation process is implemented as specified in - * NIST SP 800-56A Revision 1, + * NIST SP 800-56A Revision 1, * Section 8.2 Unilateral Key Confirmation for Key Agreement Schemes. *
* This class is stateful and NOT threadsafe. diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/agreement/jpake/JPAKEPrimeOrderGroup.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/agreement/jpake/JPAKEPrimeOrderGroup.java index 381dbc124..57a880f8b 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/agreement/jpake/JPAKEPrimeOrderGroup.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/agreement/jpake/JPAKEPrimeOrderGroup.java @@ -10,7 +10,7 @@ import java.math.BigInteger; *
* See {@link JPAKEPrimeOrderGroups} for convenient standard groups. *
- * NIST publishes + * NIST publishes * many groups that can be used for the desired level of security. */ public class JPAKEPrimeOrderGroup diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/agreement/jpake/JPAKEPrimeOrderGroups.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/agreement/jpake/JPAKEPrimeOrderGroups.java index 8f5eb905d..afa2e0926 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/agreement/jpake/JPAKEPrimeOrderGroups.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/agreement/jpake/JPAKEPrimeOrderGroups.java @@ -11,7 +11,7 @@ import java.math.BigInteger; *
* The prime order groups below are taken from Sun's JDK JavaDoc (docs/guide/security/CryptoSpec.html#AppB), * and from the prime order groups - * published by NIST. + * published by NIST. */ public class JPAKEPrimeOrderGroups { diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/agreement/jpake/JPAKEUtil.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/agreement/jpake/JPAKEUtil.java index 66570e03e..c84a09efb 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/agreement/jpake/JPAKEUtil.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/agreement/jpake/JPAKEUtil.java @@ -317,7 +317,7 @@ public class JPAKEUtil /** * Calculates the MacTag (to be used for key confirmation), as defined by - * NIST SP 800-56A Revision 1, + * NIST SP 800-56A Revision 1, * Section 8.2 Unilateral Key Confirmation for Key Agreement Schemes. *
* MacTag = HMAC(MacKey, MacLen, MacData) diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/digests/RIPEMD160Digest.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/digests/RIPEMD160Digest.java index 7eb48d29f..62be72edf 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/digests/RIPEMD160Digest.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/digests/RIPEMD160Digest.java @@ -5,7 +5,7 @@ import com.fr.third.org.bouncycastle.util.Memoable; /** * implementation of RIPEMD see, - * http://www.esat.kuleuven.ac.be/~bosselae/ripemd160.html + * https://www.esat.kuleuven.ac.be/~bosselae/ripemd160.html */ public class RIPEMD160Digest extends GeneralDigest diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/digests/SM3Digest.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/digests/SM3Digest.java index b004d6f1d..b3a6efc6e 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/digests/SM3Digest.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/digests/SM3Digest.java @@ -5,7 +5,7 @@ import com.fr.third.org.bouncycastle.util.Pack; /** * Implementation of Chinese SM3 digest as described at - * http://tools.ietf.org/html/draft-shen-sm3-hash-01 + * https://tools.ietf.org/html/draft-shen-sm3-hash-01 * and at .... ( Chinese PDF ) ** The specification says "process a bit stream", diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/digests/TigerDigest.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/digests/TigerDigest.java index 90969003d..cf4fd7d24 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/digests/TigerDigest.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/digests/TigerDigest.java @@ -5,8 +5,8 @@ import com.fr.third.org.bouncycastle.util.Memoable; /** * implementation of Tiger based on: - * - * http://www.cs.technion.ac.il/~biham/Reports/Tiger + * + * https://www.cs.technion.ac.il/~biham/Reports/Tiger */ public class TigerDigest implements ExtendedDigest, Memoable diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/encodings/OAEPEncoding.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/encodings/OAEPEncoding.java index 6f7c9ddef..755b472b7 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/encodings/OAEPEncoding.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/encodings/OAEPEncoding.java @@ -297,6 +297,7 @@ public class OAEPEncoding byte[] output = new byte[block.length - start]; System.arraycopy(block, start, output, 0, output.length); + Arrays.fill(block, (byte)0); return output; } diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/AESEngine.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/AESEngine.java index 40ca573a6..816027fda 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/AESEngine.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/AESEngine.java @@ -11,7 +11,7 @@ import com.fr.third.org.bouncycastle.util.Pack; /** * an implementation of the AES (Rijndael), from FIPS-197. *
- * For further details see: http://csrc.nist.gov/encryption/aes/. + * For further details see: https://csrc.nist.gov/encryption/aes/. * * This implementation is based on optimizations from Dr. Brian Gladman's paper and C code at * http://fp.gladman.plus.com/cryptography_technology/rijndael/ diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/AESFastEngine.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/AESFastEngine.java index b6508626b..6d3072860 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/AESFastEngine.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/AESFastEngine.java @@ -10,7 +10,7 @@ import com.fr.third.org.bouncycastle.util.Pack; /** * an implementation of the AES (Rijndael), from FIPS-197. *
- * For further details see: http://csrc.nist.gov/encryption/aes/. + * For further details see: https://csrc.nist.gov/encryption/aes/. * * This implementation is based on optimizations from Dr. Brian Gladman's paper and C code at * http://fp.gladman.plus.com/cryptography_technology/rijndael/ diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/AESLightEngine.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/AESLightEngine.java index 9e0f42d3e..dde33eee3 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/AESLightEngine.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/AESLightEngine.java @@ -10,7 +10,7 @@ import com.fr.third.org.bouncycastle.util.Pack; /** * an implementation of the AES (Rijndael), from FIPS-197. *
- * For further details see: http://csrc.nist.gov/encryption/aes/. + * For further details see: https://csrc.nist.gov/encryption/aes/. * * This implementation is based on optimizations from Dr. Brian Gladman's paper and C code at * http://fp.gladman.plus.com/cryptography_technology/rijndael/ diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/AESWrapEngine.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/AESWrapEngine.java index 39690f8ed..4f4061c58 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/AESWrapEngine.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/AESWrapEngine.java @@ -4,7 +4,7 @@ package com.fr.third.org.bouncycastle.crypto.engines; * an implementation of the AES Key Wrapper from the NIST Key Wrap * Specification. *
- * For further details see: http://csrc.nist.gov/encryption/kms/key-wrap.pdf. + * For further details see: https://csrc.nist.gov/encryption/kms/key-wrap.pdf. */ public class AESWrapEngine extends RFC3394WrapEngine diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/ARIAWrapEngine.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/ARIAWrapEngine.java index 567e2fa9f..44a7e190f 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/ARIAWrapEngine.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/ARIAWrapEngine.java @@ -4,7 +4,7 @@ package com.fr.third.org.bouncycastle.crypto.engines; * an implementation of the ARIA Key Wrapper from the NIST Key Wrap * Specification. *
- * For further details see: http://csrc.nist.gov/encryption/kms/key-wrap.pdf. + * For further details see: https://csrc.nist.gov/encryption/kms/key-wrap.pdf. */ public class ARIAWrapEngine extends RFC3394WrapEngine diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/CamelliaWrapEngine.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/CamelliaWrapEngine.java index 754481e9a..acea7fcbe 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/CamelliaWrapEngine.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/CamelliaWrapEngine.java @@ -3,7 +3,7 @@ package com.fr.third.org.bouncycastle.crypto.engines; /** * An implementation of the Camellia key wrapper based on RFC 3657/RFC 3394. *
- * For further details see: http://www.ietf.org/rfc/rfc3657.txt. + * For further details see: https://www.ietf.org/rfc/rfc3657.txt. */ public class CamelliaWrapEngine extends RFC3394WrapEngine diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/DESedeWrapEngine.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/DESedeWrapEngine.java index 2b546aa0f..05d05c4d6 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/DESedeWrapEngine.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/DESedeWrapEngine.java @@ -305,7 +305,7 @@ public class DESedeWrapEngine * - Compute the 20 octet SHA-1 hash on the key being wrapped. * - Use the first 8 octets of this hash as the checksum value. * - * For details see http://www.w3.org/TR/xmlenc-core/#sec-CMSKeyChecksum. + * For details see https://www.w3.org/TR/xmlenc-core/#sec-CMSKeyChecksum. * * @param key the key to check, * @return the CMS checksum. @@ -325,7 +325,7 @@ public class DESedeWrapEngine } /** - * For details see http://www.w3.org/TR/xmlenc-core/#sec-CMSKeyChecksum + * For details see https://www.w3.org/TR/xmlenc-core/#sec-CMSKeyChecksum * * @param key key to be validated. * @param checksum the checksum. diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/HC128Engine.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/HC128Engine.java index c06bbed71..fddbca2a4 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/HC128Engine.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/HC128Engine.java @@ -12,12 +12,12 @@ import com.fr.third.org.bouncycastle.crypto.params.ParametersWithIV; * generates keystream from a 128-bit secret key and a 128-bit initialization * vector. *
- * http://www.ecrypt.eu.org/stream/p3ciphers/hc/hc128_p3.pdf + * https://www.ecrypt.eu.org/stream/p3ciphers/hc/hc128_p3.pdf *
* It is a third phase candidate in the eStream contest, and is patent-free. * No attacks are known as of today (April 2007). See * - * http://www.ecrypt.eu.org/stream/hcp3.html + * https://www.ecrypt.eu.org/stream/hcp3.html *
*/ public class HC128Engine diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/HC256Engine.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/HC256Engine.java index 48d3a80bf..9abcf27f2 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/HC256Engine.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/HC256Engine.java @@ -12,13 +12,13 @@ import com.fr.third.org.bouncycastle.crypto.params.ParametersWithIV; * generates keystream from a 256-bit secret key and a 256-bit initialization * vector. *- * http://www.ecrypt.eu.org/stream/p3ciphers/hc/hc256_p3.pdf + * https://www.ecrypt.eu.org/stream/p3ciphers/hc/hc256_p3.pdf *
* Its brother, HC-128, is a third phase candidate in the eStream contest. * The algorithm is patent-free. No attacks are known as of today (April 2007). * See * - * http://www.ecrypt.eu.org/stream/hcp3.html + * https://www.ecrypt.eu.org/stream/hcp3.html *
*/ public class HC256Engine diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/ISAACEngine.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/ISAACEngine.java index 9c196f07b..bae6b941f 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/ISAACEngine.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/ISAACEngine.java @@ -9,7 +9,7 @@ import com.fr.third.org.bouncycastle.util.Pack; /** * Implementation of Bob Jenkin's ISAAC (Indirection Shift Accumulate Add and Count). - * see: http://www.burtleburtle.net/bob/rand/isaacafa.html + * see: https://www.burtleburtle.net/bob/rand/isaacafa.html */ public class ISAACEngine implements StreamCipher diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/NaccacheSternEngine.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/NaccacheSternEngine.java index 660b08a77..3fbc05ad4 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/NaccacheSternEngine.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/NaccacheSternEngine.java @@ -2,7 +2,6 @@ package com.fr.third.org.bouncycastle.crypto.engines; import java.math.BigInteger; import java.util.Vector; -import com.fr.third.org.bouncycastle.util.Arrays; import com.fr.third.org.bouncycastle.crypto.AsymmetricBlockCipher; import com.fr.third.org.bouncycastle.crypto.CipherParameters; @@ -11,10 +10,11 @@ import com.fr.third.org.bouncycastle.crypto.InvalidCipherTextException; import com.fr.third.org.bouncycastle.crypto.params.NaccacheSternKeyParameters; import com.fr.third.org.bouncycastle.crypto.params.NaccacheSternPrivateKeyParameters; import com.fr.third.org.bouncycastle.crypto.params.ParametersWithRandom; +import com.fr.third.org.bouncycastle.util.Arrays; /** * NaccacheStern Engine. For details on this cipher, please see - * http://www.gemplus.com/smart/rd/publications/pdf/NS98pkcs.pdf + * https://www.gemplus.com/smart/rd/publications/pdf/NS98pkcs.pdf */ public class NaccacheSternEngine implements AsymmetricBlockCipher diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/RC2WrapEngine.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/RC2WrapEngine.java index 25fb2e9c3..2d056109a 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/RC2WrapEngine.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/RC2WrapEngine.java @@ -351,7 +351,7 @@ public class RC2WrapEngine * - Compute the 20 octet SHA-1 hash on the key being wrapped. * - Use the first 8 octets of this hash as the checksum value. * - * For details see http://www.w3.org/TR/xmlenc-core/#sec-CMSKeyChecksum + * For details see https://www.w3.org/TR/xmlenc-core/#sec-CMSKeyChecksum */ private byte[] calculateCMSKeyChecksum( byte[] key) @@ -367,7 +367,7 @@ public class RC2WrapEngine } /* - * For details see http://www.w3.org/TR/xmlenc-core/#sec-CMSKeyChecksum + * For details see https://www.w3.org/TR/xmlenc-core/#sec-CMSKeyChecksum */ private boolean checkCMSKeyChecksum( byte[] key, diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/RC532Engine.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/RC532Engine.java index 8aa5cb1cd..7dd8f39b2 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/RC532Engine.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/RC532Engine.java @@ -8,7 +8,7 @@ import com.fr.third.org.bouncycastle.crypto.params.RC5Parameters; /** * The specification for RC5 came from theRC5 Encryption Algorithm
* publication in RSA CryptoBytes, Spring of 1995. - * http://www.rsasecurity.com/rsalabs/cryptobytes. + * https://www.rsasecurity.com/rsalabs/cryptobytes. ** This implementation has a word size of 32 bits. *
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/RC564Engine.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/RC564Engine.java index bdaa35f70..4acf712dd 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/RC564Engine.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/RC564Engine.java @@ -7,7 +7,7 @@ import com.fr.third.org.bouncycastle.crypto.params.RC5Parameters; /** * The specification for RC5 came from the
RC5 Encryption Algorithm
* publication in RSA CryptoBytes, Spring of 1995. - * http://www.rsasecurity.com/rsalabs/cryptobytes. + * https://www.rsasecurity.com/rsalabs/cryptobytes. ** This implementation is set to work with a 64 bit word size. *
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/RFC3394WrapEngine.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/RFC3394WrapEngine.java index 724c41d29..63da5eeda 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/RFC3394WrapEngine.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/RFC3394WrapEngine.java @@ -14,8 +14,8 @@ import com.fr.third.org.bouncycastle.util.Arrays; * an implementation of the AES Key Wrapper from the NIST Key Wrap * Specification as described in RFC 3394. *
- * For further details see: http://www.ietf.org/rfc/rfc3394.txt - * and http://csrc.nist.gov/encryption/kms/key-wrap.pdf. + * For further details see: https://www.ietf.org/rfc/rfc3394.txt + * and https://csrc.nist.gov/encryption/kms/key-wrap.pdf. */ public class RFC3394WrapEngine implements Wrapper diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/SEEDWrapEngine.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/SEEDWrapEngine.java index 5f3de689d..69ddc9b9e 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/SEEDWrapEngine.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/SEEDWrapEngine.java @@ -3,7 +3,7 @@ package com.fr.third.org.bouncycastle.crypto.engines; /** * An implementation of the SEED key wrapper based on RFC 4010/RFC 3394. *
- * For further details see: http://www.ietf.org/rfc/rfc4010.txt. + * For further details see: https://www.ietf.org/rfc/rfc4010.txt. */ public class SEEDWrapEngine extends RFC3394WrapEngine diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/SerpentEngine.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/SerpentEngine.java index e4431e340..1a0f88f40 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/SerpentEngine.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/SerpentEngine.java @@ -10,7 +10,7 @@ import com.fr.third.org.bouncycastle.util.Pack; * Serpent was designed by Ross Anderson, Eli Biham and Lars Knudsen as a * candidate algorithm for the NIST AES Quest. *
- * For full details see The Serpent home page + * For full details see The Serpent home page */ public final class SerpentEngine extends SerpentEngineBase diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/TnepresEngine.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/TnepresEngine.java index 1472b9135..96a5b6b5b 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/TnepresEngine.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/TnepresEngine.java @@ -12,7 +12,7 @@ import com.fr.third.org.bouncycastle.util.Pack; * with test vectors in the AES submission and the resulting confusion lead to the Tnepres cipher * as well, which is a byte swapped version of Serpent. *
- * For full details see The Serpent home page + * For full details see The Serpent home page */ public final class TnepresEngine extends SerpentEngineBase diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/Zuc128Engine.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/Zuc128Engine.java index a59b4b1ce..145f2635c 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/Zuc128Engine.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/Zuc128Engine.java @@ -4,7 +4,7 @@ import com.fr.third.org.bouncycastle.util.Memoable; /** * Zuc256 implementation. - * Based on http://www.is.cas.cn/ztzl2016/zouchongzhi/201801/W020180126529970733243.pdf + * Based on https://www.is.cas.cn/ztzl2016/zouchongzhi/201801/W020180126529970733243.pdf */ public final class Zuc128Engine extends Zuc128CoreEngine diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/Zuc256CoreEngine.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/Zuc256CoreEngine.java index 21c932b87..e586ee17b 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/Zuc256CoreEngine.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/Zuc256CoreEngine.java @@ -4,7 +4,7 @@ import com.fr.third.org.bouncycastle.util.Memoable; /** * Zuc256 implementation. - * Based on http://www.is.cas.cn/ztzl2016/zouchongzhi/201801/W020180126529970733243.pdf + * Based on https://www.is.cas.cn/ztzl2016/zouchongzhi/201801/W020180126529970733243.pdf */ public class Zuc256CoreEngine extends Zuc128CoreEngine diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/Zuc256Engine.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/Zuc256Engine.java index c48c4e7f8..3fb55031c 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/Zuc256Engine.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/Zuc256Engine.java @@ -4,7 +4,7 @@ import com.fr.third.org.bouncycastle.util.Memoable; /** * Zuc256 implementation. - * Based on http://www.is.cas.cn/ztzl2016/zouchongzhi/201801/W020180126529970733243.pdf + * Based on https://www.is.cas.cn/ztzl2016/zouchongzhi/201801/W020180126529970733243.pdf */ public final class Zuc256Engine extends Zuc256CoreEngine diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/generators/NaccacheSternKeyPairGenerator.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/generators/NaccacheSternKeyPairGenerator.java index b41b61770..7f95d14e3 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/generators/NaccacheSternKeyPairGenerator.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/generators/NaccacheSternKeyPairGenerator.java @@ -15,7 +15,7 @@ import com.fr.third.org.bouncycastle.util.BigIntegers; /** * Key generation parameters for NaccacheStern cipher. For details on this cipher, please see * - * http://www.gemplus.com/smart/rd/publications/pdf/NS98pkcs.pdf + * https://www.gemplus.com/smart/rd/publications/pdf/NS98pkcs.pdf */ public class NaccacheSternKeyPairGenerator implements AsymmetricCipherKeyPairGenerator diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/generators/PKCS12ParametersGenerator.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/generators/PKCS12ParametersGenerator.java index c2fd4afb8..6bd47f6ed 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/generators/PKCS12ParametersGenerator.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/generators/PKCS12ParametersGenerator.java @@ -11,7 +11,7 @@ import com.fr.third.org.bouncycastle.crypto.params.ParametersWithIV; * Generator for PBE derived keys and ivs as defined by PKCS 12 V1.0. *
* The document this implementation is based on can be found at - * + * * RSA's PKCS12 Page */ public class PKCS12ParametersGenerator diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/generators/PKCS5S1ParametersGenerator.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/generators/PKCS5S1ParametersGenerator.java index bedd0800e..5e326a589 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/generators/PKCS5S1ParametersGenerator.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/generators/PKCS5S1ParametersGenerator.java @@ -12,7 +12,7 @@ import com.fr.third.org.bouncycastle.crypto.params.ParametersWithIV; * digest used to drive it. *
* The document this implementation is based on can be found at - * + * * RSA's PKCS5 Page */ public class PKCS5S1ParametersGenerator diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/generators/PKCS5S2ParametersGenerator.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/generators/PKCS5S2ParametersGenerator.java index fce1aec3d..1696d39ec 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/generators/PKCS5S2ParametersGenerator.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/generators/PKCS5S2ParametersGenerator.java @@ -14,7 +14,7 @@ import com.fr.third.org.bouncycastle.crypto.util.DigestFactory; * This generator uses a SHA-1 HMac as the calculation function. *
* The document this implementation is based on can be found at - * + * * RSA's PKCS5 Page */ public class PKCS5S2ParametersGenerator diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/macs/Zuc128Mac.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/macs/Zuc128Mac.java index df1698749..331590fe5 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/macs/Zuc128Mac.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/macs/Zuc128Mac.java @@ -6,7 +6,7 @@ import com.fr.third.org.bouncycastle.crypto.engines.Zuc128CoreEngine; /** * Zuc128 Mac implementation. - * Based on http://www.qtc.jp/3GPP/Specs/eea3eia3specificationv16.pdf + * Based on https://www.qtc.jp/3GPP/Specs/eea3eia3specificationv16.pdf */ public final class Zuc128Mac implements Mac diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/macs/Zuc256Mac.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/macs/Zuc256Mac.java index 114c8433d..f9f8e477a 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/macs/Zuc256Mac.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/macs/Zuc256Mac.java @@ -6,7 +6,7 @@ import com.fr.third.org.bouncycastle.crypto.engines.Zuc256CoreEngine; /** * Zuc256 Mac implementation. - * Based on http://www.is.cas.cn/ztzl2016/zouchongzhi/201801/W020180126529970733243.pdf + * Based on https://www.is.cas.cn/ztzl2016/zouchongzhi/201801/W020180126529970733243.pdf */ public final class Zuc256Mac implements Mac diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/EAXBlockCipher.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/EAXBlockCipher.java index d68bbcca3..6d817b9ec 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/EAXBlockCipher.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/EAXBlockCipher.java @@ -15,7 +15,7 @@ import com.fr.third.org.bouncycastle.util.Arrays; * A Two-Pass Authenticated-Encryption Scheme Optimized for Simplicity and * Efficiency - by M. Bellare, P. Rogaway, D. Wagner. * - * http://www.cs.ucdavis.edu/~rogaway/papers/eax.pdf + * https://www.cs.ucdavis.edu/~rogaway/papers/eax.pdf * * EAX is an AEAD scheme based on CTR and OMAC1/CMAC, that uses a single block * cipher to encrypt and authenticate data. It's on-line (the length of a diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/G3413CBCBlockCipher.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/G3413CBCBlockCipher.java index df2201571..bd81ed00e 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/G3413CBCBlockCipher.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/G3413CBCBlockCipher.java @@ -8,7 +8,7 @@ import com.fr.third.org.bouncycastle.util.Arrays; /** * An implementation of the CBC mode for GOST 3412 2015 cipher. - * See GOST R 3413 2015 + * See GOST R 3413 2015 */ public class G3413CBCBlockCipher implements BlockCipher diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/G3413CFBBlockCipher.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/G3413CFBBlockCipher.java index 0ce7bfbae..54c3e5364 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/G3413CFBBlockCipher.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/G3413CFBBlockCipher.java @@ -9,7 +9,7 @@ import com.fr.third.org.bouncycastle.util.Arrays; /** * An implementation of the CFB mode for GOST 3412 2015 cipher. - * See GOST R 3413 2015 + * See GOST R 3413 2015 */ public class G3413CFBBlockCipher extends StreamBlockCipher diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/G3413OFBBlockCipher.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/G3413OFBBlockCipher.java index dabd6d21e..8323f5c9c 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/G3413OFBBlockCipher.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/G3413OFBBlockCipher.java @@ -9,7 +9,7 @@ import com.fr.third.org.bouncycastle.util.Arrays; /** * An implementation of the OFB mode for GOST 3412 2015 cipher. - * See GOST R 3413 2015 + * See GOST R 3413 2015 */ public class G3413OFBBlockCipher extends StreamBlockCipher diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/OCBBlockCipher.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/OCBBlockCipher.java index fe09827d6..491ee3983 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/OCBBlockCipher.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/OCBBlockCipher.java @@ -13,10 +13,10 @@ import com.fr.third.org.bouncycastle.crypto.params.ParametersWithIV; import com.fr.third.org.bouncycastle.util.Arrays; /** - * An implementation of RFC 7253 on The OCB + * An implementation of RFC 7253 on The OCB * Authenticated-Encryption Algorithm, licensed per: *
- *
License for + *License for * Open-Source Software Implementations of OCB (Jan 9, 2013) — “License 1”. * * @see "GF2nField" * @see GF2nPolynomialField diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/math/linearalgebra/IntegerFunctions.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/math/linearalgebra/IntegerFunctions.java index 9656b0953..49271be60 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/math/linearalgebra/IntegerFunctions.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/math/linearalgebra/IntegerFunctions.java @@ -1355,8 +1355,6 @@ public final class IntegerFunctions { if (a[i - 1] >= a[i]) { - System.out.println("a[" + (i - 1) + "] = " + a[i - 1] + " >= " - + a[i] + " = a[" + i + "]"); return false; } } diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/util/Arrays.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/util/Arrays.java index c43cbcbf6..2935d44eb 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/util/Arrays.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/util/Arrays.java @@ -876,6 +876,25 @@ public final class Arrays return r; } + public static short[] concatenate(short[] a, short[] b) + { + if (null == a) + { + // b might also be null + return clone(b); + } + if (null == b) + { + // a might also be null + return clone(a); + } + + short[] r = new short[a.length + b.length]; + System.arraycopy(a, 0, r, 0, a.length); + System.arraycopy(b, 0, r, a.length, b.length); + return r; + } + public static byte[] concatenate(byte[] a, byte[] b, byte[] c) { if (null == a) diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/util/BigIntegers.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/util/BigIntegers.java index 2838255d3..ee6399ef7 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/util/BigIntegers.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/util/BigIntegers.java @@ -13,8 +13,8 @@ public final class BigIntegers { public static final BigInteger ZERO = BigInteger.valueOf(0); public static final BigInteger ONE = BigInteger.valueOf(1); + public static final BigInteger TWO = BigInteger.valueOf(2); - private static final BigInteger TWO = BigInteger.valueOf(2); private static final BigInteger THREE = BigInteger.valueOf(3); private static final int MAX_ITERATIONS = 1000; @@ -30,7 +30,7 @@ public final class BigIntegers { byte[] bytes = value.toByteArray(); - if (bytes[0] == 0) + if (bytes[0] == 0 && bytes.length != 1) { byte[] tmp = new byte[bytes.length - 1]; @@ -60,7 +60,7 @@ public final class BigIntegers return bytes; } - int start = bytes[0] == 0 ? 1 : 0; + int start = (bytes[0] == 0 && bytes.length != 1) ? 1 : 0; int count = bytes.length - start; if (count > length) @@ -95,7 +95,7 @@ public final class BigIntegers return; } - int start = bytes[0] == 0 ? 1 : 0; + int start = (bytes[0] == 0 && bytes.length != 1) ? 1 : 0; int count = bytes.length - start; if (count > len) @@ -252,6 +252,11 @@ public final class BigIntegers public static int getUnsignedByteLength(BigInteger n) { + if (n.equals(ZERO)) + { + return 1; + } + return (n.bitLength() + 7) / 8; } diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/util/Doubles.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/util/Doubles.java new file mode 100644 index 000000000..2ba867aff --- /dev/null +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/util/Doubles.java @@ -0,0 +1,9 @@ +package com.fr.third.org.bouncycastle.util; + +public class Doubles +{ + public static Double valueOf(double value) + { + return Double.valueOf(value); + } +} diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/x509/CertPathValidatorUtilities.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/x509/CertPathValidatorUtilities.java index 4d1187367..8ae05ec80 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/x509/CertPathValidatorUtilities.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/x509/CertPathValidatorUtilities.java @@ -61,8 +61,6 @@ import com.fr.third.org.bouncycastle.util.StoreException; class CertPathValidatorUtilities { - protected static final PKIXCRLUtil CRL_UTIL = new PKIXCRLUtil(); - protected static final String CERTIFICATE_POLICIES = Extension.certificatePolicies.getId(); protected static final String BASIC_CONSTRAINTS = Extension.basicConstraints.getId(); protected static final String POLICY_MAPPINGS = Extension.policyMappings.getId(); @@ -73,14 +71,13 @@ class CertPathValidatorUtilities protected static final String ISSUING_DISTRIBUTION_POINT = Extension.issuingDistributionPoint.getId(); protected static final String DELTA_CRL_INDICATOR = Extension.deltaCRLIndicator.getId(); protected static final String POLICY_CONSTRAINTS = Extension.policyConstraints.getId(); - protected static final String FRESHEST_CRL = Extension.freshestCRL.getId(); - protected static final String CRL_DISTRIBUTION_POINTS = Extension.cRLDistributionPoints.getId(); - protected static final String AUTHORITY_KEY_IDENTIFIER = Extension.authorityKeyIdentifier.getId(); +// protected static final String FRESHEST_CRL = Extension.freshestCRL.getId(); +// protected static final String CRL_DISTRIBUTION_POINTS = Extension.cRLDistributionPoints.getId(); +// protected static final String AUTHORITY_KEY_IDENTIFIER = Extension.authorityKeyIdentifier.getId(); + protected static final String CRL_NUMBER = Extension.cRLNumber.getId(); protected static final String ANY_POLICY = "2.5.29.32.0"; - protected static final String CRL_NUMBER = Extension.cRLNumber.getId(); - /* * key usage bits */ @@ -100,9 +97,6 @@ class CertPathValidatorUtilities "privilegeWithdrawn", "aACompromise"}; - - - /** * Returns the issuer of an attribute certificate or certificate. * @@ -122,16 +116,11 @@ class CertPathValidatorUtilities } } - protected static Date getValidDate(PKIXParameters paramsPKIX) + protected static Date getValidityDate(PKIXParameters paramsPKIX, Date currentDate) { - Date validDate = paramsPKIX.getDate(); - - if (validDate == null) - { - validDate = new Date(); - } + Date validityDate = paramsPKIX.getDate(); - return validDate; + return null == validityDate ? currentDate : validityDate; } protected static X500Principal getSubjectPrincipal(X509Certificate cert) diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/x509/PKIXCRLUtil.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/x509/PKIXCRLUtil.java index 9feb763bf..3839d2578 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/x509/PKIXCRLUtil.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/x509/PKIXCRLUtil.java @@ -3,10 +3,6 @@ package com.fr.third.org.bouncycastle.x509; import java.security.cert.CertStore; import java.security.cert.CertStoreException; import java.security.cert.PKIXParameters; -import java.security.cert.X509CRL; -import java.security.cert.X509Certificate; -import java.util.Collection; -import java.util.Date; import java.util.HashSet; import java.util.Iterator; import java.util.List; @@ -15,68 +11,17 @@ import java.util.Set; import com.fr.third.org.bouncycastle.jce.provider.AnnotatedException; import com.fr.third.org.bouncycastle.util.StoreException; -class PKIXCRLUtil +abstract class PKIXCRLUtil { - public Set findCRLs(X509CRLStoreSelector crlselect, ExtendedPKIXParameters paramsPKIX, Date currentDate) + static Set findCRLs(X509CRLStoreSelector crlselect, PKIXParameters paramsPKIX) throws AnnotatedException { - Set initialSet = new HashSet(); + HashSet completeSet = new HashSet(); // get complete CRL(s) try { - initialSet.addAll(findCRLs(crlselect, paramsPKIX.getAdditionalStores())); - initialSet.addAll(findCRLs(crlselect, paramsPKIX.getStores())); - initialSet.addAll(findCRLs(crlselect, paramsPKIX.getCertStores())); - } - catch (AnnotatedException e) - { - throw new AnnotatedException("Exception obtaining complete CRLs.", e); - } - - Set finalSet = new HashSet(); - Date validityDate = currentDate; - - if (paramsPKIX.getDate() != null) - { - validityDate = paramsPKIX.getDate(); - } - - // based on RFC 5280 6.3.3 - for (Iterator it = initialSet.iterator(); it.hasNext();) - { - X509CRL crl = (X509CRL)it.next(); - - if (crl.getNextUpdate().after(validityDate)) - { - X509Certificate cert = crlselect.getCertificateChecking(); - - if (cert != null) - { - if (crl.getThisUpdate().before(cert.getNotAfter())) - { - finalSet.add(crl); - } - } - else - { - finalSet.add(crl); - } - } - } - - return finalSet; - } - - public Set findCRLs(X509CRLStoreSelector crlselect, PKIXParameters paramsPKIX) - throws AnnotatedException - { - Set completeSet = new HashSet(); - - // get complete CRL(s) - try - { - completeSet.addAll(findCRLs(crlselect, paramsPKIX.getCertStores())); + findCRLs(completeSet, crlselect, paramsPKIX.getCertStores()); } catch (AnnotatedException e) { @@ -86,36 +31,30 @@ class PKIXCRLUtil return completeSet; } -/** - * Return a Collection of all CRLs found in the X509Store's that are - * matching the crlSelect criteriums. + /** + * Add to a HashSet any and all CRLs found in the X509Store's that are matching the crlSelect + * criteria. * - * @param crlSelect a {@link X509CRLStoreSelector} object that will be used - * to select the CRLs - * @param crlStores a List containing only - * {@link com.fr.third.org.bouncycastle.x509.X509Store X509Store} objects. + * @param crls + * the {@link HashSet} to add the CRLs to. + * @param crlSelect + * a {@link X509CRLStoreSelector} object that will be used to select the CRLs + * @param crlStores + * a List containing only {@link com.fr.third.org.bouncycastle.x509.X509Store X509Store} objects. * These are used to search for CRLs - * - * @return a Collection of all found {@link java.security.cert.X509CRL X509CRL} objects. May be - * empty but never
* Under this license, you are authorized to make, use, and distribute open-source software * implementations of OCB. This license terminates for you if you sue someone over their open-source diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/OpenPGPCFBBlockCipher.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/OpenPGPCFBBlockCipher.java index 1d0c72d6e..bfad6dd44 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/OpenPGPCFBBlockCipher.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/OpenPGPCFBBlockCipher.java @@ -11,7 +11,7 @@ import com.fr.third.org.bouncycastle.crypto.OutputLengthException; * to the data stream already, and just accomodates the reset after * (blockSize + 2) bytes have been read. *- * For further info see RFC 2440. + * For further info see RFC 2440. */ public class OpenPGPCFBBlockCipher implements BlockCipher diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/PGPCFBBlockCipher.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/PGPCFBBlockCipher.java index 226113c7e..12d49e4f7 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/PGPCFBBlockCipher.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/PGPCFBBlockCipher.java @@ -7,7 +7,7 @@ import com.fr.third.org.bouncycastle.crypto.OutputLengthException; import com.fr.third.org.bouncycastle.crypto.params.ParametersWithIV; /** - * Implements OpenPGP's rather strange version of Cipher-FeedBack (CFB) mode on top of a simple cipher. For further info see RFC 2440. + * Implements OpenPGP's rather strange version of Cipher-FeedBack (CFB) mode on top of a simple cipher. For further info see RFC 2440. */ public class PGPCFBBlockCipher implements BlockCipher diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/params/DESParameters.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/params/DESParameters.java index 7de7f6c28..288e09941 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/params/DESParameters.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/params/DESParameters.java @@ -52,7 +52,7 @@ public class DESParameters * if the given DES key material is weak or semi-weak. * Key material that is too short is regarded as weak. *
- * See "Applied + * See "Applied * Cryptography" by Bruce Schneier for more information. * * @return true if the given DES key material is weak or semi-weak, diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/params/NaccacheSternKeyGenerationParameters.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/params/NaccacheSternKeyGenerationParameters.java index 5a03eadff..8d12d1951 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/params/NaccacheSternKeyGenerationParameters.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/params/NaccacheSternKeyGenerationParameters.java @@ -8,7 +8,7 @@ import com.fr.third.org.bouncycastle.crypto.KeyGenerationParameters; * Parameters for NaccacheStern public private key generation. For details on * this cipher, please see * - * http://www.gemplus.com/smart/rd/publications/pdf/NS98pkcs.pdf + * https://www.gemplus.com/smart/rd/publications/pdf/NS98pkcs.pdf */ public class NaccacheSternKeyGenerationParameters extends KeyGenerationParameters { diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/params/NaccacheSternKeyParameters.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/params/NaccacheSternKeyParameters.java index a7baf3bf7..26d89e3cb 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/params/NaccacheSternKeyParameters.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/params/NaccacheSternKeyParameters.java @@ -6,7 +6,7 @@ import java.math.BigInteger; * Public key parameters for NaccacheStern cipher. For details on this cipher, * please see * - * http://www.gemplus.com/smart/rd/publications/pdf/NS98pkcs.pdf + * https://www.gemplus.com/smart/rd/publications/pdf/NS98pkcs.pdf */ public class NaccacheSternKeyParameters extends AsymmetricKeyParameter { diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/params/NaccacheSternPrivateKeyParameters.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/params/NaccacheSternPrivateKeyParameters.java index bd818bb72..ace41d97e 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/params/NaccacheSternPrivateKeyParameters.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/params/NaccacheSternPrivateKeyParameters.java @@ -7,7 +7,7 @@ import java.util.Vector; * Private key parameters for NaccacheStern cipher. For details on this cipher, * please see * - * http://www.gemplus.com/smart/rd/publications/pdf/NS98pkcs.pdf + * https://www.gemplus.com/smart/rd/publications/pdf/NS98pkcs.pdf */ public class NaccacheSternPrivateKeyParameters extends NaccacheSternKeyParameters { diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jcajce/PKIXCertRevocationChecker.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jcajce/PKIXCertRevocationChecker.java index f40e0c6ca..fc8b186ba 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jcajce/PKIXCertRevocationChecker.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jcajce/PKIXCertRevocationChecker.java @@ -7,7 +7,8 @@ public interface PKIXCertRevocationChecker { void setParameter(String name, Object value); - void initialize(PKIXCertRevocationCheckerParameters params); + void initialize(PKIXCertRevocationCheckerParameters params) + throws CertPathValidatorException; void check(Certificate cert) throws CertPathValidatorException; diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jcajce/PKIXExtendedParameters.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jcajce/PKIXExtendedParameters.java index a5c930f28..fc0ee6ff1 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jcajce/PKIXExtendedParameters.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jcajce/PKIXExtendedParameters.java @@ -22,26 +22,22 @@ public class PKIXExtendedParameters implements CertPathParameters { /** - * This is the default PKIX validity model. Actually there are two variants - * of this: The PKIX model and the modified PKIX model. The PKIX model - * verifies that all involved certificates must have been valid at the - * current time. The modified PKIX model verifies that all involved - * certificates were valid at the signing time. Both are indirectly choosen - * with the {@link PKIXParameters#setDate(Date)} method, so this - * methods sets the Date when all certificates must have been - * valid. + * This is the default PKIX validity model. Actually there are two variants of this: The PKIX + * model and the modified PKIX model. The PKIX model verifies that all involved certificates + * must have been valid at the current time. The modified PKIX model verifies that all involved + * certificates were valid at the signing time. Both are indirectly chosen with the + * {@link PKIXParameters#setDate(Date)} method, so this methods sets the Date when all + * certificates must have been valid. */ public static final int PKIX_VALIDITY_MODEL = 0; /** - * This model uses the following validity model. Each certificate must have - * been valid at the moment where is was used. That means the end - * certificate must have been valid at the time the signature was done. The - * CA certificate which signed the end certificate must have been valid, - * when the end certificate was signed. The CA (or Root CA) certificate must - * have been valid, when the CA certificate was signed and so on. So the - * {@link PKIXParameters#setDate(Date)} method sets the time, when - * the end certificate must have been valid. It is used e.g. + * This model uses the following validity model. Each certificate must have been valid at the + * moment when it was used. That means the end certificate must have been valid at the time the + * signature was done. The CA certificate which signed the end certificate must have been valid, + * when the end certificate was signed. The CA (or Root CA) certificate must have been valid + * when the CA certificate was signed, and so on. So the {@link PKIXParameters#setDate(Date)} + * method sets the time, when the end certificate must have been valid. It is used e.g. * in the German signature law. */ public static final int CHAIN_VALIDITY_MODEL = 1; @@ -52,6 +48,7 @@ public class PKIXExtendedParameters public static class Builder { private final PKIXParameters baseParameters; + private final Date validityDate; private final Date date; private PKIXCertStoreSelector targetConstraints; @@ -72,8 +69,8 @@ public class PKIXExtendedParameters { this.targetConstraints = new PKIXCertStoreSelector.Builder(constraints).build(); } - Date checkDate = baseParameters.getDate(); - this.date = (checkDate == null) ? new Date() : checkDate; + this.validityDate = baseParameters.getDate(); + this.date = (validityDate == null) ? new Date() : validityDate; this.revocationEnabled = baseParameters.isRevocationEnabled(); this.trustAnchors = baseParameters.getTrustAnchors(); } @@ -81,6 +78,7 @@ public class PKIXExtendedParameters public Builder(PKIXExtendedParameters baseParameters) { this.baseParameters = baseParameters.baseParameters; + this.validityDate = baseParameters.validityDate; this.date = baseParameters.date; this.targetConstraints = baseParameters.targetConstraints; this.extraCertStores = new ArrayList
*/ public class RainbowParameterSpec diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/math/linearalgebra/GF2nPolynomialElement.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/math/linearalgebra/GF2nPolynomialElement.java index ac8e47230..cf3fd44a6 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/math/linearalgebra/GF2nPolynomialElement.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/math/linearalgebra/GF2nPolynomialElement.java @@ -9,7 +9,7 @@ import java.util.Random; * This class implements elements of finite binary fields GF(2n) * using polynomial representation. For more information on the arithmetic see * for example IEEE Standard 1363 or Certicom online-tutorial. + * href=https://www.certicom.com/research/online.html> Certicom online-tutorial(baseParameters.extraCertStores); @@ -196,6 +194,7 @@ public class PKIXExtendedParameters private final PKIXParameters baseParameters; private final PKIXCertStoreSelector targetConstraints; + private final Date validityDate; private final Date date; private final List extraCertStores; private final Map namedCertificateStoreMap; @@ -209,6 +208,7 @@ public class PKIXExtendedParameters private PKIXExtendedParameters(Builder builder) { this.baseParameters = builder.baseParameters; + this.validityDate = builder.validityDate; this.date = builder.date; this.extraCertStores = Collections.unmodifiableList(builder.extraCertStores); this.namedCertificateStoreMap = Collections.unmodifiableMap(new HashMap (builder.namedCertificateStoreMap)); @@ -242,14 +242,25 @@ public class PKIXExtendedParameters return namedCRLStoreMap; } + /** + * Returns the time at which to check the validity of the certification path. If {@code null}, + * the current time is used. + * + * @return the {@code Date}, or {@code null} if not set + */ + public Date getValidityDate() + { + return null == validityDate ? null : new Date(validityDate.getTime()); + } + + /** + * @deprecated Use 'getValidityDate' instead (which can return null). + */ public Date getDate() { return new Date(date.getTime()); } - - - /** * Defaults to false
. * @@ -260,8 +271,6 @@ public class PKIXExtendedParameters return useDeltas; } - - /** * @return Returns the validity model. * @see #CHAIN_VALIDITY_MODEL diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jcajce/provider/asymmetric/RSA.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jcajce/provider/asymmetric/RSA.java index 2d280c561..c07dae048 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jcajce/provider/asymmetric/RSA.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jcajce/provider/asymmetric/RSA.java @@ -263,6 +263,9 @@ public class RSA provider.addAlgorithm("Alg.Alias.Signature." + digest + "WithRSA/PSS", digest + "WITHRSAANDMGF1"); provider.addAlgorithm("Alg.Alias.Signature." + digest + "withRSAandMGF1", digest + "WITHRSAANDMGF1"); provider.addAlgorithm("Alg.Alias.Signature." + digest + "WithRSAAndMGF1", digest + "WITHRSAANDMGF1"); + provider.addAlgorithm("Alg.Alias.Signature." + digest + "withRSASSA-PSS", digest + "WITHRSAANDMGF1"); + provider.addAlgorithm("Alg.Alias.Signature." + digest + "WithRSASSA-PSS", digest + "WITHRSAANDMGF1"); + provider.addAlgorithm("Alg.Alias.Signature." + digest + "WITHRSASSA-PSS", digest + "WITHRSAANDMGF1"); provider.addAlgorithm("Signature." + digest + "WITHRSAANDMGF1", className); } diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jcajce/provider/asymmetric/dsa/BCDSAPublicKey.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jcajce/provider/asymmetric/dsa/BCDSAPublicKey.java index 2165280fe..910f92948 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jcajce/provider/asymmetric/dsa/BCDSAPublicKey.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jcajce/provider/asymmetric/dsa/BCDSAPublicKey.java @@ -51,7 +51,7 @@ public class BCDSAPublicKey DSAPublicKeyParameters params) { this.y = params.getY(); - if (params != null) + if (params.getParameters() != null) { this.dsaSpec = new DSAParameterSpec(params.getParameters().getP(), params.getParameters().getQ(), params.getParameters().getG()); } diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jcajce/provider/asymmetric/x509/X509CRLImpl.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jcajce/provider/asymmetric/x509/X509CRLImpl.java index 6a9e58768..c27d30a6f 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jcajce/provider/asymmetric/x509/X509CRLImpl.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jcajce/provider/asymmetric/x509/X509CRLImpl.java @@ -48,6 +48,7 @@ import com.fr.third.org.bouncycastle.asn1.x509.Extensions; import com.fr.third.org.bouncycastle.asn1.x509.GeneralNames; import com.fr.third.org.bouncycastle.asn1.x509.IssuingDistributionPoint; import com.fr.third.org.bouncycastle.asn1.x509.TBSCertList; +import com.fr.third.org.bouncycastle.asn1.x509.Time; import com.fr.third.org.bouncycastle.jcajce.CompositePublicKey; import com.fr.third.org.bouncycastle.jcajce.io.OutputStreamFactory; import com.fr.third.org.bouncycastle.jcajce.util.JcaJceHelper; @@ -424,12 +425,9 @@ abstract class X509CRLImpl public Date getNextUpdate() { - if (c.getNextUpdate() != null) - { - return c.getNextUpdate().getDate(); - } + Time nextUpdate = c.getNextUpdate(); - return null; + return null == nextUpdate ? null : nextUpdate.getDate(); } private Set loadCRLEntries() diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/BouncyCastleProvider.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/BouncyCastleProvider.java index f5ce5652c..db4b232d5 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/BouncyCastleProvider.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/BouncyCastleProvider.java @@ -58,7 +58,7 @@ import com.fr.third.org.bouncycastle.pqc.jcajce.provider.xmss.XMSSMTKeyFactorySp public final class BouncyCastleProvider extends Provider implements ConfigurableProvider { - private static String info = "BouncyCastle Security Provider v1.67"; + private static String info = "BouncyCastle Security Provider v1.68"; public static final String PROVIDER_NAME = "BC"; @@ -144,7 +144,7 @@ public final class BouncyCastleProvider extends Provider */ public BouncyCastleProvider() { - super(PROVIDER_NAME, 1.67, info); + super(PROVIDER_NAME, 1.68, info); AccessController.doPrivileged(new PrivilegedAction() { diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/BrokenPBE.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/BrokenPBE.java index fdea094bb..46d9eada2 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/BrokenPBE.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/BrokenPBE.java @@ -24,7 +24,7 @@ import com.fr.third.org.bouncycastle.jcajce.provider.symmetric.util.BCPBEKey; * use it (it won't be staying around). ** The document this implementation is based on can be found at - * + * * RSA's PKCS12 Page */ class OldPKCS12ParametersGenerator diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/CertPathValidatorUtilities.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/CertPathValidatorUtilities.java index 051313a51..d84c660ef 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/CertPathValidatorUtilities.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/CertPathValidatorUtilities.java @@ -44,7 +44,6 @@ import javax.security.auth.x500.X500Principal; import com.fr.third.org.bouncycastle.asn1.ASN1Encodable; import com.fr.third.org.bouncycastle.asn1.ASN1Enumerated; import com.fr.third.org.bouncycastle.asn1.ASN1GeneralizedTime; -import com.fr.third.org.bouncycastle.asn1.ASN1InputStream; import com.fr.third.org.bouncycastle.asn1.ASN1Integer; import com.fr.third.org.bouncycastle.asn1.ASN1ObjectIdentifier; import com.fr.third.org.bouncycastle.asn1.ASN1OctetString; @@ -86,8 +85,6 @@ import com.fr.third.org.bouncycastle.x509.X509AttributeCertificate; class CertPathValidatorUtilities { - protected static final PKIXCRLUtil CRL_UTIL = new PKIXCRLUtil(); - protected static final String CERTIFICATE_POLICIES = Extension.certificatePolicies.getId(); protected static final String BASIC_CONSTRAINTS = Extension.basicConstraints.getId(); protected static final String POLICY_MAPPINGS = Extension.policyMappings.getId(); @@ -125,38 +122,34 @@ class CertPathValidatorUtilities "privilegeWithdrawn", "aACompromise"}; - static Collection findTargets(PKIXExtendedBuilderParameters paramsPKIX) - throws CertPathBuilderException + static Collection findTargets(PKIXExtendedBuilderParameters paramsPKIX) throws CertPathBuilderException { - Collection targets; - PKIXCertStoreSelector certSelect = paramsPKIX.getBaseParameters().getTargetConstraints(); + PKIXExtendedParameters baseParams = paramsPKIX.getBaseParameters(); + PKIXCertStoreSelector certSelect = baseParams.getTargetConstraints(); + LinkedHashSet targets = new LinkedHashSet(); try { - targets = CertPathValidatorUtilities.findCertificates(certSelect, paramsPKIX.getBaseParameters().getCertificateStores()); - targets.addAll(CertPathValidatorUtilities.findCertificates(certSelect, paramsPKIX.getBaseParameters().getCertStores())); + CertPathValidatorUtilities.findCertificates(targets, certSelect, baseParams.getCertificateStores()); + CertPathValidatorUtilities.findCertificates(targets, certSelect, baseParams.getCertStores()); } catch (AnnotatedException e) { - throw new ExtCertPathBuilderException( - "Error finding target certificate.", e); + throw new ExtCertPathBuilderException("Error finding target certificate.", e); } - if (targets.isEmpty()) + if (!targets.isEmpty()) { - Certificate target = certSelect.getCertificate(); + return targets; + } - if (target != null) - { - targets = Collections.singleton(target); - } - else - { - throw new CertPathBuilderException( - "No certificate found matching targetConstraints."); - } + Certificate target = certSelect.getCertificate(); + if (null == target) + { + throw new CertPathBuilderException("No certificate found matching targetConstraints."); } - return targets; + + return Collections.singleton(target); } /** @@ -303,43 +296,35 @@ class CertPathValidatorUtilities { // if in the IssuerAltName extension an URI // is given, add an additional X.509 store - if (issuerAlternativeName != null) + if (issuerAlternativeName == null) { - GeneralNames issuerAltName = GeneralNames.getInstance(ASN1OctetString.getInstance(issuerAlternativeName).getOctets()); + return Collections.EMPTY_LIST; + } - GeneralName[] names = issuerAltName.getNames(); - List
stores = new ArrayList (); + GeneralNames issuerAltName = GeneralNames.getInstance(ASN1OctetString.getInstance(issuerAlternativeName).getOctets()); - for (int i = 0; i != names.length; i++) - { - GeneralName altName = names[i]; + GeneralName[] names = issuerAltName.getNames(); + List stores = new ArrayList (); - PKIXCertStore altStore = altNameCertStoreMap.get(altName); + for (int i = 0; i != names.length; i++) + { + GeneralName altName = names[i]; - if (altStore != null) - { - stores.add(altStore); - } + PKIXCertStore altStore = altNameCertStoreMap.get(altName); + if (altStore != null) + { + stores.add(altStore); } - - return stores; - } - else - { - return Collections.EMPTY_LIST; } + + return stores; } - protected static Date getValidDate(PKIXExtendedParameters paramsPKIX) + protected static Date getValidityDate(PKIXExtendedParameters paramsPKIX, Date currentDate) { - Date validDate = paramsPKIX.getDate(); - - if (validDate == null) - { - validDate = new Date(); - } + Date validityDate = paramsPKIX.getValidityDate(); - return validDate; + return null == validityDate ? currentDate : validityDate; } protected static boolean isSelfIssued(X509Certificate cert) @@ -347,7 +332,6 @@ class CertPathValidatorUtilities return cert.getSubjectDN().equals(cert.getIssuerDN()); } - /** * Extract the value of the given extension, if it exists. * @@ -355,29 +339,19 @@ class CertPathValidatorUtilities * @param oid The object identifier to obtain. * @throws AnnotatedException if the extension cannot be read. */ - protected static ASN1Primitive getExtensionValue( - java.security.cert.X509Extension ext, - String oid) + protected static ASN1Primitive getExtensionValue(java.security.cert.X509Extension ext, String oid) throws AnnotatedException { byte[] bytes = ext.getExtensionValue(oid); - if (bytes == null) - { - return null; - } - return getObject(oid, bytes); + return null == bytes ? null : getObject(oid, bytes); } - private static ASN1Primitive getObject( - String oid, - byte[] ext) - throws AnnotatedException + private static ASN1Primitive getObject(String oid, byte[] ext) throws AnnotatedException { try { - ASN1InputStream aIn = new ASN1InputStream(ext); - ASN1OctetString octs = ASN1OctetString.getInstance(aIn.readObject()); + ASN1OctetString octs = ASN1OctetString.getInstance(ext); return ASN1Primitive.fromByteArray(octs.getOctets()); } @@ -387,17 +361,11 @@ class CertPathValidatorUtilities } } - protected static AlgorithmIdentifier getAlgorithmIdentifier( - PublicKey key) - throws CertPathValidatorException + protected static AlgorithmIdentifier getAlgorithmIdentifier(PublicKey key) throws CertPathValidatorException { try { - ASN1InputStream aIn = new ASN1InputStream(key.getEncoded()); - - SubjectPublicKeyInfo info = SubjectPublicKeyInfo.getInstance(aIn.readObject()); - - return info.getAlgorithm(); + return SubjectPublicKeyInfo.getInstance(key.getEncoded()).getAlgorithm(); } catch (Exception e) { @@ -691,27 +659,26 @@ class CertPathValidatorUtilities } /** - * Return a Collection of all certificates or attribute certificates found - * in the X509Store's that are matching the certSelect criteriums. + * Return a Collection of all certificates or attribute certificates found in the X509Store's + * that are matching the certSelect criteriums. * - * @param certSelect a {@link Selector} object that will be used to select - * the certificates - * @param certStores a List containing only {@link Store} objects. These - * are used to search for certificates. - * @return a Collection of all found {@link X509Certificate} - * May be empty but never null
. + * @param certs + * a {@link LinkedHashSet} to which the certificates will be added. + * @param certSelect + * a {@link Selector} object that will be used to select the certificates + * @param certStores + * a List containing only {@link Store} objects. These are used to search for + * certificates. + * @return a Collection of all found {@link X509Certificate} May be empty but never + *null
. */ - protected static Collection findCertificates(PKIXCertStoreSelector certSelect, - List certStores) + protected static void findCertificates(LinkedHashSet certs, PKIXCertStoreSelector certSelect, List certStores) throws AnnotatedException { - Set certs = new LinkedHashSet(); Iterator iter = certStores.iterator(); - while (iter.hasNext()) { Object obj = iter.next(); - if (obj instanceof Store) { Store certStore = (Store)obj; @@ -721,123 +688,111 @@ class CertPathValidatorUtilities } catch (StoreException e) { - throw new AnnotatedException( - "Problem while picking certificates from X.509 store.", e); + throw new AnnotatedException("Problem while picking certificates from X.509 store.", e); } } else { CertStore certStore = (CertStore)obj; - try { certs.addAll(PKIXCertStoreSelector.getCertificates(certSelect, certStore)); } catch (CertStoreException e) { - throw new AnnotatedException( - "Problem while picking certificates from certificate store.", - e); + throw new AnnotatedException("Problem while picking certificates from certificate store.", e); } } } - return certs; } static ListgetAdditionalStoresFromCRLDistributionPoint( CRLDistPoint crldp, Map namedCRLStoreMap, Date validDate, JcaJceHelper helper) throws AnnotatedException { - if (crldp != null) + if (null == crldp) { - DistributionPoint dps[] = null; + return Collections.EMPTY_LIST; + } + + DistributionPoint dps[]; + try + { + dps = crldp.getDistributionPoints(); + } + catch (Exception e) + { + throw new AnnotatedException("Distribution points could not be read.", e); + } + + List stores = new ArrayList (); + + for (int i = 0; i < dps.length; i++) + { + DistributionPointName dpn = dps[i].getDistributionPoint(); + // look for URIs in fullName + if (dpn != null && dpn.getType() == DistributionPointName.FULL_NAME) + { + GeneralName[] genNames = GeneralNames.getInstance(dpn.getName()).getNames(); + + for (int j = 0; j < genNames.length; j++) + { + PKIXCRLStore store = namedCRLStoreMap.get(genNames[j]); + if (store != null) + { + stores.add(store); + } + } + } + } + + // if the named CRL store is empty, and we're told to check with CRLDP + if (stores.isEmpty() && Properties.isOverrideSet("com.fr.third.org.bouncycastle.x509.enableCRLDP")) + { + CertificateFactory certFact; try { - dps = crldp.getDistributionPoints(); + certFact = helper.createCertificateFactory("X.509"); } catch (Exception e) { - throw new AnnotatedException( - "Distribution points could not be read.", e); + throw new AnnotatedException("cannot create certificate factory: " + e.getMessage(), e); } - List stores = new ArrayList (); for (int i = 0; i < dps.length; i++) { DistributionPointName dpn = dps[i].getDistributionPoint(); // look for URIs in fullName - if (dpn != null) + if (dpn != null && dpn.getType() == DistributionPointName.FULL_NAME) { - if (dpn.getType() == DistributionPointName.FULL_NAME) - { - GeneralName[] genNames = GeneralNames.getInstance(dpn.getName()).getNames(); + GeneralName[] genNames = GeneralNames.getInstance(dpn.getName()).getNames(); - for (int j = 0; j < genNames.length; j++) - { - PKIXCRLStore store = namedCRLStoreMap.get(genNames[j]); - if (store != null) - { - stores.add(store); - } - } - } - } - } - - // if the named CRL store is empty, and we're told to check with CRLDP - if (stores.isEmpty() && Properties.isOverrideSet("com.fr.third.org.bouncycastle.x509.enableCRLDP")) - { - CertificateFactory certFact = null; - try - { - certFact = helper.createCertificateFactory("X.509"); - } - catch (Exception e) - { - throw new AnnotatedException("cannot create certificate factory: " + e.getMessage(), e); - } - - for (int i = 0; i < dps.length; i++) - { - DistributionPointName dpn = dps[i].getDistributionPoint(); - // look for URIs in fullName - if (dpn != null) + for (int j = 0; j < genNames.length; j++) { - if (dpn.getType() == DistributionPointName.FULL_NAME) + GeneralName name = genNames[i]; + if (name.getTagNo() == GeneralName.uniformResourceIdentifier) { - GeneralName[] genNames = GeneralNames.getInstance(dpn.getName()).getNames(); - - for (int j = 0; j < genNames.length; j++) + try { - GeneralName name = genNames[i]; - if (name.getTagNo() == GeneralName.uniformResourceIdentifier) + URI distributionPoint = new URI(((ASN1String)name.getName()).getString()); + PKIXCRLStore store = CrlCache.getCrl(certFact, validDate, distributionPoint); + if (store != null) { - try - { - PKIXCRLStore store = CrlCache.getCrl(certFact, validDate, new URI(((ASN1String)name.getName()).getString())); - if (store != null) - { - stores.add(store); - } - break; - } - catch (Exception e) - { - // ignore... TODO: maybe log - } + stores.add(store); } + break; + } + catch (Exception e) + { + // ignore... TODO: maybe log } } } } } - - return stores; - } - else - { - return Collections.EMPTY_LIST; } + + return stores; } /** @@ -874,14 +829,12 @@ class CertPathValidatorUtilities { try { - issuers.add(X500Name.getInstance(genNames[j].getName() - .toASN1Primitive().getEncoded())); + issuers.add(X500Name.getInstance(genNames[j].getName().toASN1Primitive().getEncoded())); } catch (IOException e) { throw new AnnotatedException( - "CRL issuer information from distribution point cannot be decoded.", - e); + "CRL issuer information from distribution point cannot be decoded.", e); } } } @@ -962,8 +915,7 @@ class CertPathValidatorUtilities } } - private static BigInteger getSerialNumber( - Object cert) + private static BigInteger getSerialNumber(Object cert) { return ((X509Certificate)cert).getSerialNumber(); } @@ -975,8 +927,6 @@ class CertPathValidatorUtilities CertStatus certStatus) throws AnnotatedException { - X509CRLEntry crl_entry = null; - boolean isIndirect; try { @@ -987,6 +937,7 @@ class CertPathValidatorUtilities throw new AnnotatedException("Failed check for indirect CRL.", exception); } + X509CRLEntry crl_entry; if (isIndirect) { crl_entry = crl.getRevokedCertificate(getSerialNumber(cert)); @@ -1032,22 +983,17 @@ class CertPathValidatorUtilities { if (crl_entry.hasUnsupportedCriticalExtension()) { - throw new AnnotatedException( - "CRL entry has unsupported critical extensions."); + throw new AnnotatedException("CRL entry has unsupported critical extensions."); } try { reasonCode = ASN1Enumerated - .getInstance(CertPathValidatorUtilities - .getExtensionValue(crl_entry, - Extension.reasonCode.getId())); + .getInstance(CertPathValidatorUtilities.getExtensionValue(crl_entry, Extension.reasonCode.getId())); } catch (Exception e) { - throw new AnnotatedException( - "Reason code CRL entry extension could not be decoded.", - e); + throw new AnnotatedException("Reason code CRL entry extension could not be decoded.", e); } } @@ -1111,16 +1057,14 @@ class CertPathValidatorUtilities } // 5.2.4 (b) - byte[] idp = null; + byte[] idp; try { idp = completeCRL.getExtensionValue(ISSUING_DISTRIBUTION_POINT); } catch (Exception e) { - throw new AnnotatedException( - "Issuing distribution point extension value could not be read.", - e); + throw new AnnotatedException("Issuing distribution point extension value could not be read.", e); } // 5.2.4 (d) @@ -1138,12 +1082,12 @@ class CertPathValidatorUtilities PKIXCRLStoreSelector deltaSelect = selBuilder.build(); // find delta CRLs - Set temp = CRL_UTIL.findCRLs(deltaSelect, validityDate, certStores, pkixCrlStores); + Set temp = PKIXCRLUtil.findCRLs(deltaSelect, validityDate, certStores, pkixCrlStores); // if the named CRL store is empty, and we're told to check with CRLDP if (temp.isEmpty() && Properties.isOverrideSet("com.fr.third.org.bouncycastle.x509.enableCRLDP")) { - CertificateFactory certFact = null; + CertificateFactory certFact; try { certFact = helper.createCertificateFactory("X.509"); @@ -1159,30 +1103,29 @@ class CertPathValidatorUtilities { DistributionPointName dpn = dps[i].getDistributionPoint(); // look for URIs in fullName - if (dpn != null) + if (dpn != null && dpn.getType() == DistributionPointName.FULL_NAME) { - if (dpn.getType() == DistributionPointName.FULL_NAME) - { - GeneralName[] genNames = GeneralNames.getInstance(dpn.getName()).getNames(); + GeneralName[] genNames = GeneralNames.getInstance(dpn.getName()).getNames(); - for (int j = 0; j < genNames.length; j++) + for (int j = 0; j < genNames.length; j++) + { + GeneralName name = genNames[i]; + if (name.getTagNo() == GeneralName.uniformResourceIdentifier) { - GeneralName name = genNames[i]; - if (name.getTagNo() == GeneralName.uniformResourceIdentifier) + try { - try - { - PKIXCRLStore store = CrlCache.getCrl(certFact, validityDate, new URI(((ASN1String)name.getName()).getString())); - if (store != null) - { - temp = CRL_UTIL.findCRLs(deltaSelect, validityDate, Collections.emptyList(), Collections.singletonList(store)); - } - break; - } - catch (Exception e) + PKIXCRLStore store = CrlCache.getCrl(certFact, validityDate, + new URI(((ASN1String)name.getName()).getString())); + if (store != null) { - // ignore... TODO: maybe log + temp = PKIXCRLUtil.findCRLs(deltaSelect, validityDate, Collections.EMPTY_LIST, + Collections.singletonList(store)); } + break; + } + catch (Exception e) + { + // ignore... TODO: maybe log } } } @@ -1231,7 +1174,7 @@ class CertPathValidatorUtilities * or no CRLs are found. */ protected static Set getCompleteCRLs(PKIXCertRevocationCheckerParameters params, DistributionPoint dp, Object cert, - Date currentDate, PKIXExtendedParameters paramsPKIX) + PKIXExtendedParameters paramsPKIX, Date validityDate) throws AnnotatedException, RecoverableCertPathValidatorException { X509CRLSelector baseCrlSelect = new X509CRLSelector(); @@ -1239,15 +1182,13 @@ class CertPathValidatorUtilities try { Set issuers = new HashSet(); - issuers.add(PrincipalUtils.getEncodedIssuerPrincipal(cert)); CertPathValidatorUtilities.getCRLIssuersFromDistributionPoint(dp, issuers, baseCrlSelect); } catch (AnnotatedException e) { - throw new AnnotatedException( - "Could not get issuer information from distribution point.", e); + throw new AnnotatedException("Could not get issuer information from distribution point.", e); } if (cert instanceof X509Certificate) @@ -1255,84 +1196,62 @@ class CertPathValidatorUtilities baseCrlSelect.setCertificateChecking((X509Certificate)cert); } - PKIXCRLStoreSelector crlSelect = new PKIXCRLStoreSelector.Builder(baseCrlSelect).setCompleteCRLEnabled(true).build(); + PKIXCRLStoreSelector crlSelect = new PKIXCRLStoreSelector.Builder(baseCrlSelect).setCompleteCRLEnabled(true) + .build(); - Date validityDate = currentDate; - - if (paramsPKIX.getDate() != null) - { - validityDate = paramsPKIX.getDate(); - } - - Set crls = CRL_UTIL.findCRLs(crlSelect, validityDate, paramsPKIX.getCertStores(), paramsPKIX.getCRLStores()); + Set crls = PKIXCRLUtil.findCRLs(crlSelect, validityDate, paramsPKIX.getCertStores(), paramsPKIX.getCRLStores()); checkCRLsNotEmpty(params, crls, cert); return crls; } - protected static Date getValidCertDateFromValidityModel( - PKIXExtendedParameters paramsPKIX, CertPath certPath, int index) - throws AnnotatedException + protected static Date getValidCertDateFromValidityModel(Date validityDate, int validityModel, CertPath certPath, + int index) throws AnnotatedException { - if (paramsPKIX.getValidityModel() == PKIXExtendedParameters.CHAIN_VALIDITY_MODEL) + if (PKIXExtendedParameters.CHAIN_VALIDITY_MODEL != validityModel || index <= 0) { - // if end cert use given signing/encryption/... time - if (index <= 0) + // use given signing/encryption/... time (or current date) + return validityDate; + } + + X509Certificate issuedCert = (X509Certificate)certPath.getCertificates().get(index - 1); + + if (index - 1 == 0) + { + // use time when cert was issued, if available + ASN1GeneralizedTime dateOfCertgen = null; + try + { + byte[] extBytes = ((X509Certificate)certPath.getCertificates().get(index - 1)) + .getExtensionValue(ISISMTTObjectIdentifiers.id_isismtt_at_dateOfCertGen.getId()); + if (extBytes != null) + { + dateOfCertgen = ASN1GeneralizedTime.getInstance(ASN1Primitive.fromByteArray(extBytes)); + } + } + catch (IOException e) { - return CertPathValidatorUtilities.getValidDate(paramsPKIX); - // else use time when previous cert was created + throw new AnnotatedException("Date of cert gen extension could not be read."); } - else + catch (IllegalArgumentException e) + { + throw new AnnotatedException("Date of cert gen extension could not be read."); + } + if (dateOfCertgen != null) { - if (index - 1 == 0) + try { - ASN1GeneralizedTime dateOfCertgen = null; - try - { - byte[] extBytes = ((X509Certificate)certPath.getCertificates().get(index - 1)).getExtensionValue(ISISMTTObjectIdentifiers.id_isismtt_at_dateOfCertGen.getId()); - if (extBytes != null) - { - dateOfCertgen = ASN1GeneralizedTime.getInstance(ASN1Primitive.fromByteArray(extBytes)); - } - } - catch (IOException e) - { - throw new AnnotatedException( - "Date of cert gen extension could not be read."); - } - catch (IllegalArgumentException e) - { - throw new AnnotatedException( - "Date of cert gen extension could not be read."); - } - if (dateOfCertgen != null) - { - try - { - return dateOfCertgen.getDate(); - } - catch (ParseException e) - { - throw new AnnotatedException( - "Date from date of cert gen extension could not be parsed.", - e); - } - } - return ((X509Certificate)certPath.getCertificates().get( - index - 1)).getNotBefore(); + return dateOfCertgen.getDate(); } - else + catch (ParseException e) { - return ((X509Certificate)certPath.getCertificates().get( - index - 1)).getNotBefore(); + throw new AnnotatedException("Date from date of cert gen extension could not be parsed.", e); } } } - else - { - return getValidDate(paramsPKIX); - } + + return issuedCert.getNotBefore(); } /** @@ -1445,37 +1364,24 @@ class CertPathValidatorUtilities } PKIXCertStoreSelector certSelect = new PKIXCertStoreSelector.Builder(selector).build(); - Set certs = new LinkedHashSet(); - - Iterator iter; + LinkedHashSet certs = new LinkedHashSet(); try { - List matches = new ArrayList(); - - matches.addAll(CertPathValidatorUtilities.findCertificates(certSelect, certStores)); - matches.addAll(CertPathValidatorUtilities.findCertificates(certSelect, pkixCertStores)); - - iter = matches.iterator(); + CertPathValidatorUtilities.findCertificates(certs, certSelect, certStores); + CertPathValidatorUtilities.findCertificates(certs, certSelect, pkixCertStores); } catch (AnnotatedException e) { throw new AnnotatedException("Issuer certificate cannot be searched.", e); } - X509Certificate issuer = null; - while (iter.hasNext()) - { - issuer = (X509Certificate)iter.next(); - // issuer cannot be verified because possible DSA inheritance - // parameters are missing - certs.add(issuer); - } + // issuers cannot be verified because possible DSA inheritance parameters are missing + return certs; } - protected static void verifyX509Certificate(X509Certificate cert, PublicKey publicKey, - String sigProvider) + protected static void verifyX509Certificate(X509Certificate cert, PublicKey publicKey, String sigProvider) throws GeneralSecurityException { if (sigProvider == null) diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/PKIXAttrCertPathBuilderSpi.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/PKIXAttrCertPathBuilderSpi.java index 8a55189c7..7c7100cba 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/PKIXAttrCertPathBuilderSpi.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/PKIXAttrCertPathBuilderSpi.java @@ -1,6 +1,5 @@ package com.fr.third.org.bouncycastle.jce.provider; -import java.io.ByteArrayInputStream; import java.io.IOException; import java.security.InvalidAlgorithmParameterException; import java.security.Principal; @@ -10,10 +9,6 @@ import java.security.cert.CertPathBuilderResult; import java.security.cert.CertPathBuilderSpi; import java.security.cert.CertPathParameters; import java.security.cert.CertPathValidator; -import java.security.cert.CertStore; -import java.security.cert.CertStoreException; -import java.security.cert.Certificate; -import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.CertificateParsingException; import java.security.cert.PKIXBuilderParameters; @@ -24,6 +19,7 @@ import java.util.ArrayList; import java.util.Collection; import java.util.HashSet; import java.util.Iterator; +import java.util.LinkedHashSet; import java.util.List; import java.util.Set; @@ -32,8 +28,8 @@ import javax.security.auth.x500.X500Principal; import com.fr.third.org.bouncycastle.asn1.x509.Extension; import com.fr.third.org.bouncycastle.jcajce.PKIXCertStoreSelector; import com.fr.third.org.bouncycastle.jcajce.PKIXExtendedBuilderParameters; +import com.fr.third.org.bouncycastle.jcajce.PKIXExtendedParameters; import com.fr.third.org.bouncycastle.jce.exception.ExtCertPathBuilderException; -import com.fr.third.org.bouncycastle.util.Encodable; import com.fr.third.org.bouncycastle.util.Selector; import com.fr.third.org.bouncycastle.util.Store; import com.fr.third.org.bouncycastle.util.StoreException; @@ -42,7 +38,6 @@ import com.fr.third.org.bouncycastle.x509.ExtendedPKIXParameters; import com.fr.third.org.bouncycastle.x509.X509AttributeCertStoreSelector; import com.fr.third.org.bouncycastle.x509.X509AttributeCertificate; import com.fr.third.org.bouncycastle.x509.X509CertStoreSelector; -import com.fr.third.org.bouncycastle.x509.X509Store; public class PKIXAttrCertPathBuilderSpi extends CertPathBuilderSpi @@ -98,7 +93,8 @@ public class PKIXAttrCertPathBuilderSpi // search target certificates - Selector certSelect = paramsPKIX.getBaseParameters().getTargetConstraints(); + PKIXExtendedParameters baseParams = paramsPKIX.getBaseParameters(); + Selector certSelect = baseParams.getTargetConstraints(); if (!(certSelect instanceof X509AttributeCertStoreSelector)) { throw new CertPathBuilderException( @@ -133,7 +129,7 @@ public class PKIXAttrCertPathBuilderSpi X509CertStoreSelector selector = new X509CertStoreSelector(); Principal[] principals = cert.getIssuer().getPrincipals(); - Set issuers = new HashSet(); + LinkedHashSet issuers = new LinkedHashSet(); for (int i = 0; i < principals.length; i++) { try @@ -143,8 +139,8 @@ public class PKIXAttrCertPathBuilderSpi selector.setSubject(((X500Principal)principals[i]).getEncoded()); } PKIXCertStoreSelector certStoreSelector = new PKIXCertStoreSelector.Builder(selector).build(); - issuers.addAll(CertPathValidatorUtilities.findCertificates(certStoreSelector, paramsPKIX.getBaseParameters().getCertStores())); - issuers.addAll(CertPathValidatorUtilities.findCertificates(certStoreSelector, paramsPKIX.getBaseParameters().getCertificateStores())); + CertPathValidatorUtilities.findCertificates(issuers, certStoreSelector, baseParams.getCertStores()); + CertPathValidatorUtilities.findCertificates(issuers, certStoreSelector, baseParams.getCertificateStores()); } catch (AnnotatedException e) { @@ -236,82 +232,78 @@ public class PKIXAttrCertPathBuilderSpi try { // check whether the issuer of is a TrustAnchor - if (CertPathValidatorUtilities.isIssuerTrustAnchor(tbvCert, pkixParams.getBaseParameters().getTrustAnchors(), - pkixParams.getBaseParameters().getSigProvider())) + PKIXExtendedParameters baseParams = pkixParams.getBaseParameters(); + if (CertPathValidatorUtilities.isIssuerTrustAnchor(tbvCert, baseParams.getTrustAnchors(), + baseParams.getSigProvider())) { CertPath certPath; - PKIXCertPathValidatorResult result; try { certPath = cFact.generateCertPath(tbvPath); } catch (Exception e) { - throw new AnnotatedException( - "Certification path could not be constructed from certificate list.", - e); + throw new AnnotatedException("Certification path could not be constructed from certificate list.", + e); } + PKIXCertPathValidatorResult result; try { - result = (PKIXCertPathValidatorResult) validator.validate( - certPath, pkixParams); + result = (PKIXCertPathValidatorResult)validator.validate(certPath, pkixParams); } catch (Exception e) { - throw new AnnotatedException( - "Certification path could not be validated.", - e); + throw new AnnotatedException("Certification path could not be validated.", e); } - return new PKIXCertPathBuilderResult(certPath, result - .getTrustAnchor(), result.getPolicyTree(), result - .getPublicKey()); + return new PKIXCertPathBuilderResult(certPath, result.getTrustAnchor(), result.getPolicyTree(), + result.getPublicKey()); } else { List stores = new ArrayList(); + stores.addAll(baseParams.getCertificateStores()); - stores.addAll(pkixParams.getBaseParameters().getCertificateStores()); // add additional X.509 stores from locations in certificate try { - stores.addAll(CertPathValidatorUtilities.getAdditionalStoresFromAltNames(tbvCert.getExtensionValue(Extension.issuerAlternativeName.getId()), pkixParams.getBaseParameters().getNamedCertificateStoreMap())); + stores.addAll(CertPathValidatorUtilities.getAdditionalStoresFromAltNames( + tbvCert.getExtensionValue(Extension.issuerAlternativeName.getId()), + baseParams.getNamedCertificateStoreMap())); } catch (CertificateParsingException e) { - throw new AnnotatedException( - "No additional X.509 stores can be added from certificate locations.", - e); + throw new AnnotatedException("No additional X.509 stores can be added from certificate locations.", + e); } + Collection issuers = new HashSet(); // try to get the issuer certificate from one // of the stores try { - issuers.addAll(CertPathValidatorUtilities.findIssuerCerts(tbvCert, pkixParams.getBaseParameters().getCertStores(), stores)); + issuers.addAll(CertPathValidatorUtilities.findIssuerCerts(tbvCert, baseParams.getCertStores(), stores)); } catch (AnnotatedException e) { throw new AnnotatedException( - "Cannot find issuer certificate for certificate in certification path.", - e); + "Cannot find issuer certificate for certificate in certification path.", e); } if (issuers.isEmpty()) { throw new AnnotatedException( "No issuer certificate for certificate in certification path found."); } - Iterator it = issuers.iterator(); + Iterator it = issuers.iterator(); while (it.hasNext() && builderResult == null) { X509Certificate issuer = (X509Certificate) it.next(); // TODO Use CertPathValidatorUtilities.isSelfIssued(issuer)? // if untrusted self signed certificate continue - if (issuer.getIssuerX500Principal().equals( - issuer.getSubjectX500Principal())) + if (issuer.getIssuerX500Principal().equals(issuer.getSubjectX500Principal())) { continue; } @@ -321,8 +313,7 @@ public class PKIXAttrCertPathBuilderSpi } catch (AnnotatedException e) { - certPathException = new AnnotatedException( - "No valid certification path could be build.", e); + certPathException = new AnnotatedException("No valid certification path could be build.", e); } if (builderResult == null) { @@ -331,17 +322,15 @@ public class PKIXAttrCertPathBuilderSpi return builderResult; } - protected static Collection findCertificates(X509AttributeCertStoreSelector certSelect, - List certStores) + protected static Collection findCertificates(X509AttributeCertStoreSelector certSelect, List certStores) throws AnnotatedException { Set certs = new HashSet(); - Iterator iter = certStores.iterator(); + Iterator iter = certStores.iterator(); while (iter.hasNext()) { Object obj = iter.next(); - if (obj instanceof Store) { Store certStore = (Store)obj; @@ -351,11 +340,11 @@ public class PKIXAttrCertPathBuilderSpi } catch (StoreException e) { - throw new AnnotatedException( - "Problem while picking certificates from X.509 store.", e); + throw new AnnotatedException("Problem while picking certificates from X.509 store.", e); } } } + return certs; } } diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/PKIXAttrCertPathValidatorSpi.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/PKIXAttrCertPathValidatorSpi.java index 57dda533e..bc067eb78 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/PKIXAttrCertPathValidatorSpi.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/PKIXAttrCertPathValidatorSpi.java @@ -97,6 +97,9 @@ public class PKIXAttrCertPathValidatorSpi paramsPKIX = (PKIXExtendedParameters)params; } + final Date currentDate = new Date(); + final Date validityDate = CertPathValidatorUtilities.getValidityDate(paramsPKIX, currentDate); + Selector certSelect = paramsPKIX.getTargetConstraints(); if (!(certSelect instanceof X509AttributeCertStoreSelector)) { @@ -115,21 +118,13 @@ public class PKIXAttrCertPathValidatorSpi .getCertificates().get(0); RFC3281CertPathUtilities.processAttrCert3(issuerCert, paramsPKIX); RFC3281CertPathUtilities.processAttrCert4(issuerCert, trustedACIssuers); - RFC3281CertPathUtilities.processAttrCert5(attrCert, paramsPKIX); + RFC3281CertPathUtilities.processAttrCert5(attrCert, validityDate); // 6 already done in X509AttributeCertStoreSelector RFC3281CertPathUtilities.processAttrCert7(attrCert, certPath, holderCertPath, paramsPKIX, attrCertCheckers); RFC3281CertPathUtilities.additionalChecks(attrCert, prohibitedACAttrbiutes, necessaryACAttributes); - Date date = null; - try - { - date = CertPathValidatorUtilities.getValidCertDateFromValidityModel(paramsPKIX, null, -1); - } - catch (AnnotatedException e) - { - throw new ExtCertPathValidatorException( - "Could not get validity date from attribute certificate.", e); - } - RFC3281CertPathUtilities.checkCRLs(attrCert, paramsPKIX, issuerCert, date, certPath.getCertificates(), helper); + + RFC3281CertPathUtilities.checkCRLs(attrCert, paramsPKIX, currentDate, validityDate, issuerCert, + certPath.getCertificates(), helper); return result; } } diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/PKIXCRLUtil.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/PKIXCRLUtil.java index a49fd9c70..90c1df868 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/PKIXCRLUtil.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/PKIXCRLUtil.java @@ -16,18 +16,18 @@ import com.fr.third.org.bouncycastle.jcajce.PKIXCRLStoreSelector; import com.fr.third.org.bouncycastle.util.Store; import com.fr.third.org.bouncycastle.util.StoreException; -class PKIXCRLUtil +abstract class PKIXCRLUtil { - public Set findCRLs(PKIXCRLStoreSelector crlselect, Date validityDate, List certStores, List pkixCrlStores) + static Set findCRLs(PKIXCRLStoreSelector crlselect, Date validityDate, List certStores, List pkixCrlStores) throws AnnotatedException { - Set initialSet = new HashSet(); + HashSet initialSet = new HashSet(); // get complete CRL(s) try { - initialSet.addAll(findCRLs(crlselect, pkixCrlStores)); - initialSet.addAll(findCRLs(crlselect, certStores)); + findCRLs(initialSet, crlselect, pkixCrlStores); + findCRLs(initialSet, crlselect, certStores); } catch (AnnotatedException e) { @@ -45,14 +45,7 @@ class PKIXCRLUtil { X509Certificate cert = crlselect.getCertificateChecking(); - if (cert != null) - { - if (crl.getThisUpdate().before(cert.getNotAfter())) - { - finalSet.add(crl); - } - } - else + if (null == cert || crl.getThisUpdate().before(cert.getNotAfter())) { finalSet.add(crl); } @@ -63,31 +56,26 @@ class PKIXCRLUtil } /** - * Return a Collection of all CRLs found in the X509Store's that are - * matching the crlSelect criteriums. - * - * @param crlSelect a {@link com.fr.third.org.bouncycastle.jcajce.PKIXCRLStoreSelector} object that will be used - * to select the CRLs - * @param crlStores a List containing only - * {@link Store} objects. - * These are used to search for CRLs + * Add to a HashSet any and all CRLs found in the X509Store's that are matching the crlSelect + * critera. * - * @return a Collection of all found {@link java.security.cert.X509CRL X509CRL} objects. May be - * empty but never null
. + * @param crls + * the {@link HashSet} to add the CRLs to. + * @param crlSelect + * a {@link com.fr.third.org.bouncycastle.jcajce.PKIXCRLStoreSelector} object that will be used to + * select the CRLs + * @param crlStores + * a List containing only {@link Store} objects. These are used to search for CRLs */ - private final Collection findCRLs(PKIXCRLStoreSelector crlSelect, - List crlStores) throws AnnotatedException + private static void findCRLs(HashSet crls, PKIXCRLStoreSelector crlSelect, List crlStores) throws AnnotatedException { - Set crls = new HashSet(); - Iterator iter = crlStores.iterator(); - AnnotatedException lastException = null; boolean foundValidStore = false; + Iterator iter = crlStores.iterator(); while (iter.hasNext()) { Object obj = iter.next(); - if (obj instanceof Store) { Store store = (Store)obj; @@ -99,8 +87,7 @@ class PKIXCRLUtil } catch (StoreException e) { - lastException = new AnnotatedException( - "Exception searching in X.509 CRL store.", e); + lastException = new AnnotatedException("Exception searching in X.509 CRL store.", e); } } else @@ -114,16 +101,14 @@ class PKIXCRLUtil } catch (CertStoreException e) { - lastException = new AnnotatedException( - "Exception searching in X.509 CRL store.", e); + lastException = new AnnotatedException("Exception searching in X.509 CRL store.", e); } } } + if (!foundValidStore && lastException != null) { throw lastException; } - return crls; } - } diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/PKIXCertPathValidatorSpi.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/PKIXCertPathValidatorSpi.java index 528ee55db..ca0086aee 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/PKIXCertPathValidatorSpi.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/PKIXCertPathValidatorSpi.java @@ -14,6 +14,7 @@ import java.security.cert.PKIXParameters; import java.security.cert.TrustAnchor; import java.security.cert.X509Certificate; import java.util.ArrayList; +import java.util.Date; import java.util.HashSet; import java.util.Iterator; import java.util.List; @@ -111,7 +112,8 @@ public class PKIXCertPathValidatorSpi // // (b) // - // Date validDate = CertPathValidatorUtilities.getValidDate(paramsPKIX); + final Date currentDate = new Date(); + final Date validityDate = CertPathValidatorUtilities.getValidityDate(paramsPKIX, currentDate); // // (c) @@ -330,8 +332,8 @@ public class PKIXCertPathValidatorSpi // 6.1.3 // - RFC3280CertPathUtilities.processCertA(certPath, paramsPKIX, revocationChecker, index, workingPublicKey, - verificationAlreadyPerformed, workingIssuerName, sign); + RFC3280CertPathUtilities.processCertA(certPath, paramsPKIX, validityDate, revocationChecker, index, + workingPublicKey, verificationAlreadyPerformed, workingIssuerName, sign); RFC3280CertPathUtilities.processCertBC(certPath, index, nameConstraintValidator, isForCRLCheck); diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/PKIXCertPathValidatorSpi_8.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/PKIXCertPathValidatorSpi_8.java index cc131978e..1345d0ecc 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/PKIXCertPathValidatorSpi_8.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/PKIXCertPathValidatorSpi_8.java @@ -15,6 +15,7 @@ import java.security.cert.PKIXRevocationChecker; import java.security.cert.TrustAnchor; import java.security.cert.X509Certificate; import java.util.ArrayList; +import java.util.Date; import java.util.HashSet; import java.util.Iterator; import java.util.List; @@ -118,7 +119,8 @@ public class PKIXCertPathValidatorSpi_8 // // (b) // - // Date validDate = CertPathValidatorUtilities.getValidDate(paramsPKIX); + final Date currentDate = new Date(); + final Date validityDate = CertPathValidatorUtilities.getValidityDate(paramsPKIX, currentDate); // // (c) @@ -348,8 +350,8 @@ public class PKIXCertPathValidatorSpi_8 // 6.1.3 // - RFC3280CertPathUtilities.processCertA(certPath, paramsPKIX, revocationChecker, index, workingPublicKey, - verificationAlreadyPerformed, workingIssuerName, sign); + RFC3280CertPathUtilities.processCertA(certPath, paramsPKIX, validityDate, revocationChecker, index, + workingPublicKey, verificationAlreadyPerformed, workingIssuerName, sign); RFC3280CertPathUtilities.processCertBC(certPath, index, nameConstraintValidator, isForCRLCheck); diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/ProvCrlRevocationChecker.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/ProvCrlRevocationChecker.java index bb4660cd2..69e867796 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/ProvCrlRevocationChecker.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/ProvCrlRevocationChecker.java @@ -3,6 +3,7 @@ package com.fr.third.org.bouncycastle.jce.provider; import java.security.cert.CertPathValidatorException; import java.security.cert.Certificate; import java.security.cert.X509Certificate; +import java.util.Date; import com.fr.third.org.bouncycastle.jcajce.PKIXCertRevocationChecker; import com.fr.third.org.bouncycastle.jcajce.PKIXCertRevocationCheckerParameters; @@ -12,7 +13,9 @@ class ProvCrlRevocationChecker implements PKIXCertRevocationChecker { private final JcaJceHelper helper; + private PKIXCertRevocationCheckerParameters params; + private Date currentDate = null; public ProvCrlRevocationChecker(JcaJceHelper helper) { @@ -27,6 +30,7 @@ class ProvCrlRevocationChecker public void initialize(PKIXCertRevocationCheckerParameters params) { this.params = params; + this.currentDate = new Date(); } public void init(boolean forForward) @@ -36,6 +40,9 @@ class ProvCrlRevocationChecker { throw new CertPathValidatorException("forward checking not supported"); } + + this.params = null; + this.currentDate = new Date(); } public void check(Certificate certificate) @@ -43,8 +50,9 @@ class ProvCrlRevocationChecker { try { - RFC3280CertPathUtilities.checkCRLs(params, - params.getParamsPKIX(), (X509Certificate)certificate, params.getValidDate(), params.getSigningCert(), params.getWorkingPublicKey(), params.getCertPath().getCertificates(), helper); + RFC3280CertPathUtilities.checkCRLs(params, params.getParamsPKIX(), currentDate, params.getValidDate(), + (X509Certificate)certificate, params.getSigningCert(), params.getWorkingPublicKey(), + params.getCertPath().getCertificates(), helper); } catch (AnnotatedException e) { diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/ProvOcspRevocationChecker.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/ProvOcspRevocationChecker.java index 9d50f412b..bdbd31226 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/ProvOcspRevocationChecker.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/ProvOcspRevocationChecker.java @@ -139,7 +139,6 @@ class ProvOcspRevocationChecker public void initialize(PKIXCertRevocationCheckerParameters parameters) { this.parameters = parameters; - this.isEnabledOCSP = Properties.isOverrideSet("ocsp.enable"); this.ocspURL = Properties.getPropertyValue("ocsp.responderURL"); } @@ -156,6 +155,10 @@ class ProvOcspRevocationChecker { throw new CertPathValidatorException("forward checking not supported"); } + + this.parameters = null; + this.isEnabledOCSP = Properties.isOverrideSet("ocsp.enable"); + this.ocspURL = Properties.getPropertyValue("ocsp.responderURL"); } public boolean isForwardCheckingSupported() diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/ProvRevocationChecker.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/ProvRevocationChecker.java index 635ab3bec..716b7e860 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/ProvRevocationChecker.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/ProvRevocationChecker.java @@ -108,7 +108,9 @@ class ProvRevocationChecker public void init(boolean forForward) throws CertPathValidatorException { + this.parameters = null; crlChecker.init(forForward); + ocspChecker.init(forForward); } public boolean isForwardCheckingSupported() diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/RFC3280CertPathUtilities.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/RFC3280CertPathUtilities.java index 1dd033896..c274113fa 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/RFC3280CertPathUtilities.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/RFC3280CertPathUtilities.java @@ -17,12 +17,12 @@ import java.security.cert.X509Certificate; import java.security.cert.X509Extension; import java.text.SimpleDateFormat; import java.util.ArrayList; -import java.util.Collection; import java.util.Date; import java.util.Enumeration; import java.util.HashMap; import java.util.HashSet; import java.util.Iterator; +import java.util.LinkedHashSet; import java.util.List; import java.util.Map; import java.util.Set; @@ -65,8 +65,6 @@ import com.fr.third.org.bouncycastle.util.Arrays; class RFC3280CertPathUtilities { - private static final PKIXCRLUtil CRL_UTIL = new PKIXCRLUtil(); - private static final Class revChkClass = ClassUtil.loadClass(RFC3280CertPathUtilities.class, "java.security.cert.PKIXRevocationChecker"); /** @@ -472,11 +470,11 @@ class RFC3280CertPathUtilities PKIXCertStoreSelector selector = new PKIXCertStoreSelector.Builder(certSelector).build(); // get CRL signing certs - Collection coll; + LinkedHashSet coll = new LinkedHashSet(); try { - coll = CertPathValidatorUtilities.findCertificates(selector, paramsPKIX.getCertificateStores()); - coll.addAll(CertPathValidatorUtilities.findCertificates(selector, paramsPKIX.getCertStores())); + CertPathValidatorUtilities.findCertificates(coll, selector, paramsPKIX.getCertificateStores()); + CertPathValidatorUtilities.findCertificates(coll, selector, paramsPKIX.getCertStores()); } catch (AnnotatedException e) { @@ -1381,6 +1379,7 @@ class RFC3280CertPathUtilities protected static void processCertA( CertPath certPath, PKIXExtendedParameters paramsPKIX, + Date validityDate, PKIXCertRevocationChecker revocationChecker, int index, PublicKey workingPublicKey, @@ -1409,12 +1408,22 @@ class RFC3280CertPathUtilities } } + final Date validCertDate; try { - // (a) (2) - // - cert.checkValidity(CertPathValidatorUtilities - .getValidCertDateFromValidityModel(paramsPKIX, certPath, index)); + validCertDate = CertPathValidatorUtilities.getValidCertDateFromValidityModel(validityDate, + paramsPKIX.getValidityModel(), certPath, index); + } + catch (AnnotatedException e) + { + throw new ExtCertPathValidatorException("Could not validate time of certificate.", e, certPath, index); + } + + // (a) (2) + // + try + { + cert.checkValidity(validCertDate); } catch (CertificateExpiredException e) { @@ -1424,35 +1433,16 @@ class RFC3280CertPathUtilities { throw new ExtCertPathValidatorException("Could not validate certificate: " + e.getMessage(), e, certPath, index); } - catch (AnnotatedException e) - { - throw new ExtCertPathValidatorException("Could not validate time of certificate.", e, certPath, index); - } // // (a) (3) // if (revocationChecker != null) { + revocationChecker.initialize(new PKIXCertRevocationCheckerParameters(paramsPKIX, validCertDate, certPath, + index, sign, workingPublicKey)); - try - { - Date validDate = CertPathValidatorUtilities.getValidCertDateFromValidityModel(paramsPKIX, certPath, index); - - revocationChecker.initialize( - new PKIXCertRevocationCheckerParameters(paramsPKIX, validDate, certPath, index, sign, workingPublicKey)); - - revocationChecker.check(cert); - } - catch (AnnotatedException e) - { - Throwable cause = e; - if (null != e.getCause()) - { - cause = e.getCause(); - } - throw new ExtCertPathValidatorException(e.getMessage(), cause, certPath, index); - } + revocationChecker.check(cert); } // @@ -1641,29 +1631,39 @@ class RFC3280CertPathUtilities } /** - * Checks a distribution point for revocation information for the - * certificatecert
. + * Checks a distribution point for revocation information for the certificatecert
. * - * @param dp The distribution point to consider. - * @param paramsPKIX PKIX parameters. - * @param cert Certificate to check if it is revoked. - * @param validDate The date when the certificate revocation status should be - * checked. - * @param defaultCRLSignCert The issuer certificate of the certificatecert
. - * @param defaultCRLSignKey The public key of the issuer certificate - *defaultCRLSignCert
. - * @param certStatus The current certificate revocation status. - * @param reasonMask The reasons mask which is already checked. - * @param certPathCerts The certificates of the certification path. - * @throws AnnotatedException if the certificate is revoked or the status cannot be checked - * or some error occurs. + * @param dp + * The distribution point to consider. + * @param paramsPKIX + * PKIX parameters. + * @param currentDate + * The date at which this check is being run. + * @param validityDate + * The date when the certificate revocation status should be checked. + * @param cert + * Certificate to check if it is revoked. + * @param defaultCRLSignCert + * The issuer certificate of the certificatecert
. + * @param defaultCRLSignKey + * The public key of the issuer certificatedefaultCRLSignCert
. + * @param certStatus + * The current certificate revocation status. + * @param reasonMask + * The reasons mask which is already checked. + * @param certPathCerts + * The certificates of the certification path. + * @throws AnnotatedException + * if the certificate is revoked or the status cannot be checked or some error + * occurs. */ private static void checkCRL( PKIXCertRevocationCheckerParameters params, DistributionPoint dp, PKIXExtendedParameters paramsPKIX, + Date currentDate, + Date validityDate, X509Certificate cert, - Date validDate, X509Certificate defaultCRLSignCert, PublicKey defaultCRLSignKey, CertStatus certStatus, @@ -1672,8 +1672,11 @@ class RFC3280CertPathUtilities JcaJceHelper helper) throws AnnotatedException, RecoverableCertPathValidatorException { - Date currentDate = new Date(System.currentTimeMillis()); - if (validDate.getTime() > currentDate.getTime()) + if (currentDate == null) + { + boolean debug = true; + } + if (validityDate.getTime() > currentDate.getTime()) { throw new AnnotatedException("Validation time is in future."); } @@ -1686,7 +1689,7 @@ class RFC3280CertPathUtilities * getAdditionalStore() */ - Set crls = CertPathValidatorUtilities.getCompleteCRLs(params, dp, cert, currentDate, paramsPKIX); + Set crls = CertPathValidatorUtilities.getCompleteCRLs(params, dp, cert, paramsPKIX, validityDate); boolean validCrlFound = false; AnnotatedException lastException = null; Iterator crl_iter = crls.iterator(); @@ -1719,13 +1722,6 @@ class RFC3280CertPathUtilities X509CRL deltaCRL = null; - Date validityDate = currentDate; - - if (paramsPKIX.getDate() != null) - { - validityDate = paramsPKIX.getDate(); - } - if (paramsPKIX.isUseDeltasEnabled()) { // get delta CRLs @@ -1770,10 +1766,10 @@ class RFC3280CertPathUtilities RFC3280CertPathUtilities.processCRLC(deltaCRL, crl, paramsPKIX); // (i) - RFC3280CertPathUtilities.processCRLI(validDate, deltaCRL, cert, certStatus, paramsPKIX); + RFC3280CertPathUtilities.processCRLI(validityDate, deltaCRL, cert, certStatus, paramsPKIX); // (j) - RFC3280CertPathUtilities.processCRLJ(validDate, crl, cert, certStatus); + RFC3280CertPathUtilities.processCRLJ(validityDate, crl, cert, certStatus); // (k) if (certStatus.getCertStatus() == CRLReason.removeFromCRL) @@ -1828,21 +1824,30 @@ class RFC3280CertPathUtilities /** * Checks a certificate if it is revoked. * - * @param paramsPKIX PKIX parameters. - * @param cert Certificate to check if it is revoked. - * @param validDate The date when the certificate revocation status should be - * checked. - * @param sign The issuer certificate of the certificatecert
. - * @param workingPublicKey The public key of the issuer certificatesign
. - * @param certPathCerts The certificates of the certification path. - * @throws AnnotatedException if the certificate is revoked or the status cannot be checked - * or some error occurs. + * @param paramsPKIX + * PKIX parameters. + * @param currentDate + * The date at which this check is being run. + * @param validityDate + * The date when the certificate revocation status should be checked. + * @param cert + * Certificate to check if it is revoked. + * @param sign + * The issuer certificate of the certificatecert
. + * @param workingPublicKey + * The public key of the issuer certificatesign
. + * @param certPathCerts + * The certificates of the certification path. + * @throws AnnotatedException + * if the certificate is revoked or the status cannot be checked or some error + * occurs. */ protected static void checkCRLs( PKIXCertRevocationCheckerParameters params, PKIXExtendedParameters paramsPKIX, + Date currentDate, + Date validityDate, X509Certificate cert, - Date validDate, X509Certificate sign, PublicKey workingPublicKey, List certPathCerts, @@ -1864,7 +1869,8 @@ class RFC3280CertPathUtilities PKIXExtendedParameters.Builder paramsBldr = new PKIXExtendedParameters.Builder(paramsPKIX); try { - List extras = CertPathValidatorUtilities.getAdditionalStoresFromCRLDistributionPoint(crldp, paramsPKIX.getNamedCRLStoreMap(), validDate, helper); + List extras = CertPathValidatorUtilities.getAdditionalStoresFromCRLDistributionPoint(crldp, + paramsPKIX.getNamedCRLStoreMap(), validityDate, helper); for (Iterator it = extras.iterator(); it.hasNext();) { paramsBldr.addCRLStore((PKIXCRLStore)it.next()); @@ -1898,7 +1904,8 @@ class RFC3280CertPathUtilities { try { - checkCRL(params, dps[i], finalParams, cert, validDate, sign, workingPublicKey, certStatus, reasonsMask, certPathCerts, helper); + checkCRL(params, dps[i], finalParams, currentDate, validityDate, cert, sign, workingPublicKey, + certStatus, reasonsMask, certPathCerts, helper); validCrlFound = true; } catch (AnnotatedException e) @@ -1936,8 +1943,8 @@ class RFC3280CertPathUtilities DistributionPoint dp = new DistributionPoint(new DistributionPointName(0, new GeneralNames( new GeneralName(GeneralName.directoryName, issuer))), null, null); PKIXExtendedParameters paramsPKIXClone = (PKIXExtendedParameters)paramsPKIX.clone(); - checkCRL(params, dp, paramsPKIXClone, cert, validDate, sign, workingPublicKey, certStatus, reasonsMask, - certPathCerts, helper); + checkCRL(params, dp, paramsPKIXClone, currentDate, validityDate, cert, sign, workingPublicKey, + certStatus, reasonsMask, certPathCerts, helper); validCrlFound = true; } catch (AnnotatedException e) diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/RFC3281CertPathUtilities.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/RFC3281CertPathUtilities.java index 696dd0cdd..9a7dba30e 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/RFC3281CertPathUtilities.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/RFC3281CertPathUtilities.java @@ -21,8 +21,8 @@ import java.security.cert.X509CertSelector; import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Date; -import java.util.HashSet; import java.util.Iterator; +import java.util.LinkedHashSet; import java.util.List; import java.util.Set; @@ -113,22 +113,24 @@ class RFC3281CertPathUtilities /** * Checks if an attribute certificate is revoked. * - * @param attrCert Attribute certificate to check if it is revoked. - * @param paramsPKIX PKIX parameters. - * @param issuerCert The issuer certificate of the attribute certificate - *attrCert
. - * @param validDate The date when the certificate revocation status should - * be checked. - * @param certPathCerts The certificates of the certification path to be - * checked. + * @param attrCert + * Attribute certificate to check if it is revoked. + * @param paramsPKIX + * PKIX parameters. + * @param validityDate + * The date when the certificate revocation status should be checked. + * @param issuerCert + * The issuer certificate of the attribute certificateattrCert
. + * @param certPathCerts + * The certificates of the certification path to be checked. * - * @throws CertPathValidatorException if the certificate is revoked or the - * status cannot be checked or some error occurs. + * @throws CertPathValidatorException + * if the certificate is revoked or the status cannot be checked or some error + * occurs. */ - protected static void checkCRLs( - X509AttributeCertificate attrCert, - PKIXExtendedParameters paramsPKIX, X509Certificate issuerCert, - Date validDate, List certPathCerts, JcaJceHelper helper) throws CertPathValidatorException + protected static void checkCRLs(X509AttributeCertificate attrCert, PKIXExtendedParameters paramsPKIX, + Date currentDate, Date validityDate, X509Certificate issuerCert, List certPathCerts, JcaJceHelper helper) + throws CertPathValidatorException { if (paramsPKIX.isRevocationEnabled()) { @@ -152,7 +154,8 @@ class RFC3281CertPathUtilities try { - crlStores.addAll(CertPathValidatorUtilities.getAdditionalStoresFromCRLDistributionPoint(crldp, paramsPKIX.getNamedCRLStoreMap(), validDate, helper)); + crlStores.addAll(CertPathValidatorUtilities.getAdditionalStoresFromCRLDistributionPoint(crldp, + paramsPKIX.getNamedCRLStoreMap(), validityDate, helper)); } catch (AnnotatedException e) { @@ -197,10 +200,8 @@ class RFC3281CertPathUtilities PKIXExtendedParameters paramsPKIXClone = (PKIXExtendedParameters)paramsPKIX .clone(); - checkCRL( - dps[i], attrCert, paramsPKIXClone, - validDate, issuerCert, certStatus, reasonsMask, - certPathCerts, helper); + checkCRL(dps[i], attrCert, paramsPKIXClone, currentDate, validityDate, issuerCert, + certStatus, reasonsMask, certPathCerts, helper); validCrlFound = true; } } @@ -245,8 +246,8 @@ class RFC3281CertPathUtilities PKIXExtendedParameters paramsPKIXClone = (PKIXExtendedParameters) paramsPKIX .clone(); - checkCRL(dp, attrCert, paramsPKIXClone, validDate, - issuerCert, certStatus, reasonsMask, certPathCerts, helper); + checkCRL(dp, attrCert, paramsPKIXClone, currentDate, validityDate, issuerCert, certStatus, + reasonsMask, certPathCerts, helper); validCrlFound = true; } catch (AnnotatedException e) @@ -322,13 +323,12 @@ class RFC3281CertPathUtilities } } - protected static void processAttrCert5(X509AttributeCertificate attrCert, - PKIXExtendedParameters pkixParams) throws CertPathValidatorException + protected static void processAttrCert5(X509AttributeCertificate attrCert, Date validityDate) + throws CertPathValidatorException { try { - attrCert.checkValidity(CertPathValidatorUtilities - .getValidDate(pkixParams)); + attrCert.checkValidity(validityDate); } catch (CertificateExpiredException e) { @@ -439,7 +439,7 @@ class RFC3281CertPathUtilities { CertPathBuilderResult result = null; // find holder PKCs - Set holderPKCs = new HashSet(); + LinkedHashSet holderPKCs = new LinkedHashSet(); if (attrCert.getHolder().getIssuer() != null) { X509CertSelector selector = new X509CertSelector(); @@ -454,8 +454,8 @@ class RFC3281CertPathUtilities selector.setIssuer(((X500Principal)principals[i]) .getEncoded()); } - holderPKCs.addAll(CertPathValidatorUtilities - .findCertificates(new PKIXCertStoreSelector.Builder(selector).build(), pkixParams.getCertStores())); + PKIXCertStoreSelector certSelect = new PKIXCertStoreSelector.Builder(selector).build(); + CertPathValidatorUtilities.findCertificates(holderPKCs, certSelect, pkixParams.getCertStores()); } catch (AnnotatedException e) { @@ -488,8 +488,8 @@ class RFC3281CertPathUtilities selector.setIssuer(((X500Principal) principals[i]) .getEncoded()); } - holderPKCs.addAll(CertPathValidatorUtilities - .findCertificates(new PKIXCertStoreSelector.Builder(selector).build(), pkixParams.getCertStores())); + PKIXCertStoreSelector certSelect = new PKIXCertStoreSelector.Builder(selector).build(); + CertPathValidatorUtilities.findCertificates(holderPKCs, certSelect, pkixParams.getCertStores()); } catch (AnnotatedException e) { @@ -557,29 +557,32 @@ class RFC3281CertPathUtilities } /** + * Checks a distribution point for revocation information for the certificate + *attrCert
. * - * Checks a distribution point for revocation information for the - * certificateattrCert
. - * - * @param dp The distribution point to consider. - * @param attrCert The attribute certificate which should be checked. - * @param paramsPKIX PKIX parameters. - * @param validDate The date when the certificate revocation status should - * be checked. - * @param issuerCert Certificate to check if it is revoked. - * @param reasonMask The reasons mask which is already checked. - * @param certPathCerts The certificates of the certification path to be - * checked. - * @throws AnnotatedException if the certificate is revoked or the status - * cannot be checked or some error occurs. + * @param dp + * The distribution point to consider. + * @param attrCert + * The attribute certificate which should be checked. + * @param paramsPKIX + * PKIX parameters. + * @param validDate + * The date when the certificate revocation status should be checked. + * @param issuerCert + * Certificate to check if it is revoked. + * @param reasonMask + * The reasons mask which is already checked. + * @param certPathCerts + * The certificates of the certification path to be checked. + * @throws AnnotatedException + * if the certificate is revoked or the status cannot be checked or some error + * occurs. */ - private static void checkCRL(DistributionPoint dp, - X509AttributeCertificate attrCert, PKIXExtendedParameters paramsPKIX, - Date validDate, X509Certificate issuerCert, CertStatus certStatus, - ReasonsMask reasonMask, List certPathCerts, JcaJceHelper helper) + private static void checkCRL(DistributionPoint dp, X509AttributeCertificate attrCert, + PKIXExtendedParameters paramsPKIX, Date currentDate, Date validityDate, X509Certificate issuerCert, CertStatus certStatus, + ReasonsMask reasonMask, List certPathCerts, JcaJceHelper helper) throws AnnotatedException, RecoverableCertPathValidatorException { - /* * 4.3.6 No Revocation Available * @@ -591,8 +594,8 @@ class RFC3281CertPathUtilities { return; } - Date currentDate = new Date(System.currentTimeMillis()); - if (validDate.getTime() > currentDate.getTime()) + + if (validityDate.getTime() > currentDate.getTime()) { throw new AnnotatedException("Validation time is in future."); } @@ -605,9 +608,9 @@ class RFC3281CertPathUtilities * getAdditionalStore() */ - PKIXCertRevocationCheckerParameters params = new PKIXCertRevocationCheckerParameters(paramsPKIX, validDate, null, -1, issuerCert, null); - Set crls = CertPathValidatorUtilities.getCompleteCRLs(params, dp, attrCert, - currentDate, paramsPKIX); + PKIXCertRevocationCheckerParameters params = new PKIXCertRevocationCheckerParameters(paramsPKIX, validityDate, + null, -1, issuerCert, null); + Set crls = CertPathValidatorUtilities.getCompleteCRLs(params, dp, attrCert, paramsPKIX, validityDate); boolean validCrlFound = false; AnnotatedException lastException = null; Iterator crl_iter = crls.iterator(); @@ -689,12 +692,10 @@ class RFC3281CertPathUtilities RFC3280CertPathUtilities.processCRLC(deltaCRL, crl, paramsPKIX); // (i) - RFC3280CertPathUtilities.processCRLI(validDate, deltaCRL, - attrCert, certStatus, paramsPKIX); + RFC3280CertPathUtilities.processCRLI(validityDate, deltaCRL, attrCert, certStatus, paramsPKIX); // (j) - RFC3280CertPathUtilities.processCRLJ(validDate, crl, attrCert, - certStatus); + RFC3280CertPathUtilities.processCRLJ(validityDate, crl, attrCert, certStatus); // (k) if (certStatus.getCertStatus() == CRLReason.removeFromCRL) diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/WrappedRevocationChecker.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/WrappedRevocationChecker.java index 8ad1197c5..287cecb1e 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/WrappedRevocationChecker.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/WrappedRevocationChecker.java @@ -23,8 +23,9 @@ class WrappedRevocationChecker } public void initialize(PKIXCertRevocationCheckerParameters params) + throws CertPathValidatorException { - // ignore. + checker.init(false); } public void check(Certificate cert) diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/math/raw/Mod.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/math/raw/Mod.java index f7048b022..2efe9030d 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/math/raw/Mod.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/math/raw/Mod.java @@ -69,7 +69,6 @@ public abstract class Mod int bits = (len32 << 5) - Integers.numberOfLeadingZeros(m[len32 - 1]); int len30 = (bits + 29) / 30; - int m0Inv30x4 = -inverse32(m[0]) << 2; int[] t = new int[4]; int[] D = new int[len30]; @@ -84,28 +83,25 @@ public abstract class Mod System.arraycopy(M, 0, F, 0, len30); int eta = -1; + int m0Inv32 = inverse32(M[0]); int maxDivsteps = getMaximumDivsteps(bits); for (int divSteps = 0; divSteps < maxDivsteps; divSteps += 30) { eta = divsteps30(eta, F[0], G[0], t); - updateDE30(len30, D, E, t, m0Inv30x4, M); + updateDE30(len30, D, E, t, m0Inv32, M); updateFG30(len30, F, G, t); } int signF = F[len30 - 1] >> 31; -// assert -1 == signF | 0 == signF; - cnegate30(len30, signF, F); - int signD = cnegate30(len30, signF, D); -// assert -1 == signD | 0 == signD; - - // TODO 'D' should already be in [P, -P), but absent a proof we support [-2P, 2P) - signD = csub30(len30, ~signD, D, M); - signD = cadd30(len30, signD, D, M); - signD = cadd30(len30, signD, D, M); -// assert 0 == signD; + /* + * D is in the range (-2.M, M). First, conditionally add M if D is negative, to bring it + * into the range (-M, M). Then normalize by conditionally negating (according to signF) + * and/or then adding M, to bring it into the range [0, M). + */ + cnormalize30(len30, signF, D, M); decode30(bits, D, 0, z, 0); // assert 0 != Nat.lessThan(len32, z, m); @@ -122,7 +118,6 @@ public abstract class Mod int bits = (len32 << 5) - Integers.numberOfLeadingZeros(m[len32 - 1]); int len30 = (bits + 29) / 30; - int m0Inv30x4 = -inverse32(m[0]) << 2; int[] t = new int[4]; int[] D = new int[len30]; @@ -139,6 +134,7 @@ public abstract class Mod int clzG = Integers.numberOfLeadingZeros(G[len30 - 1] | 1) - (len30 * 30 + 2 - bits); int eta = -1 - clzG; int lenDE = len30, lenFG = len30; + int m0Inv32 = inverse32(M[0]); int maxDivsteps = getMaximumDivsteps(bits); int divsteps = 0; @@ -152,7 +148,7 @@ public abstract class Mod divsteps += 30; eta = divsteps30Var(eta, F[0], G[0], t); - updateDE30(lenDE, D, E, t, m0Inv30x4, M); + updateDE30(lenDE, D, E, t, m0Inv32, M); updateFG30(lenFG, F, G, t); int fn = F[lenFG - 1]; @@ -171,34 +167,32 @@ public abstract class Mod } int signF = F[lenFG - 1] >> 31; -// assert -1 == signF || 0 == signF; - if (0 != signF) + /* + * D is in the range (-2.M, M). First, conditionally add M if D is negative, to bring it + * into the range (-M, M). Then normalize by conditionally negating (according to signF) + * and/or then adding M, to bring it into the range [0, M). + */ + int signD = D[lenDE - 1] >> 31; + if (signD < 0) + { + signD = add30(lenDE, D, M); + } + if (signF < 0) { - negate30(lenFG, F); - negate30(lenDE, D); + signD = negate30(lenDE, D); + signF = negate30(lenFG, F); } +// assert 0 == signF; if (!Nat.isOne(lenFG, F)) { return false; } - int signD = D[lenDE - 1] >> 31; -// assert -1 == signD || 0 == signD; - - // TODO 'D' should already be in [P, -P), but absent a proof we support [-2P, 2P) - if (signD < 0) - { - signD = add30(len30, D, M); - } - else - { - signD = sub30(len30, D, M); - } if (signD < 0) { - signD = add30(len30, D, M); + signD = add30(lenDE, D, M); } // assert 0 == signD; @@ -262,24 +256,7 @@ public abstract class Mod return c; } - private static int cadd30(int len30, int cond, int[] D, int[] M) - { -// assert len30 > 0; -// assert D.length >= len30; -// assert M.length >= len30; - - int c = 0, last = len30 - 1; - for (int i = 0; i < last; ++i) - { - c += D[i] + (M[i] & cond); - D[i] = c & M30; c >>= 30; - } - c += D[last] + (M[last] & cond); - D[last] = c; c >>= 30; - return c; - } - - private static int cnegate30(int len30, int cond, int[] D) + private static void cnegate30(int len30, int cond, int[] D) { // assert len30 > 0; // assert D.length >= len30; @@ -291,25 +268,45 @@ public abstract class Mod D[i] = c & M30; c >>= 30; } c += (D[last] ^ cond) - cond; - D[last] = c; c >>= 30; - return c; + D[last] = c; } - private static int csub30(int len30, int cond, int[] D, int[] M) + private static void cnormalize30(int len30, int condNegate, int[] D, int[] M) { // assert len30 > 0; // assert D.length >= len30; // assert M.length >= len30; - int c = 0, last = len30 - 1; - for (int i = 0; i < last; ++i) + int last = len30 - 1; + { - c += D[i] - (M[i] & cond); - D[i] = c & M30; c >>= 30; + int c = 0, condAdd = D[last] >> 31; + for (int i = 0; i < last; ++i) + { + int di = D[i] + (M[i] & condAdd); + di = (di ^ condNegate) - condNegate; + c += di; D[i] = c & M30; c >>= 30; + } + { + int di = D[last] + (M[last] & condAdd); + di = (di ^ condNegate) - condNegate; + c += di; D[last] = c; + } + } + + { + int c = 0, condAdd = D[last] >> 31; + for (int i = 0; i < last; ++i) + { + int di = D[i] + (M[i] & condAdd); + c += di; D[i] = c & M30; c >>= 30; + } + { + int di = D[last] + (M[last] & condAdd); + c += di; D[last] = c; + } +// assert c >> 30 == 0; } - c += D[last] - (M[last] & cond); - D[last] = c; c >>= 30; - return c; } private static void decode30(int bits, int[] x, int xOff, int[] z, int zOff) @@ -484,46 +481,46 @@ public abstract class Mod return c; } - private static int sub30(int len30, int[] D, int[] M) - { -// assert len30 > 0; -// assert D.length >= len30; -// assert M.length >= len30; - - int c = 0, last = len30 - 1; - for (int i = 0; i < last; ++i) - { - c += D[i] - M[i]; - D[i] = c & M30; c >>= 30; - } - c += D[last] - M[last]; - D[last] = c; c >>= 30; - return c; - } - - private static void updateDE30(int len30, int[] D, int[] E, int[] t, int m0Inv30x4, int[] M) + private static void updateDE30(int len30, int[] D, int[] E, int[] t, int m0Inv32, int[] M) { // assert len30 > 0; // assert D.length >= len30; // assert E.length >= len30; // assert M.length >= len30; -// assert m0Inv30x4 * M[0] == -1 << 2; +// assert m0Inv32 * M[0] == 1; final int u = t[0], v = t[1], q = t[2], r = t[3]; - int di, ei, i, md, me; + int di, ei, i, md, me, mi, sd, se; long cd, ce; + /* + * We accept D (E) in the range (-2.M, M) and conceptually add the modulus to the input + * value if it is initially negative. Instead of adding it explicitly, we add u and/or v (q + * and/or r) to md (me). + */ + sd = D[len30 - 1] >> 31; + se = E[len30 - 1] >> 31; + + md = (u & sd) + (v & se); + me = (q & sd) + (r & se); + + mi = M[0]; di = D[0]; ei = E[0]; cd = (long)u * di + (long)v * ei; ce = (long)q * di + (long)r * ei; - md = (m0Inv30x4 * (int)cd) >> 2; - me = (m0Inv30x4 * (int)ce) >> 2; + /* + * Subtract from md/me an extra term in the range [0, 2^30) such that the low 30 bits of the + * intermediate D/E values will be 0, allowing clean division by 2^30. The final D/E are + * thus in the range (-2.M, M), consistent with the input constraint. + */ + md -= (m0Inv32 * (int)cd + md) & M30; + me -= (m0Inv32 * (int)ce + me) & M30; - cd += (long)M[0] * md; - ce += (long)M[0] * me; + cd += (long)mi * md; + ce += (long)mi * me; // assert ((int)cd & M30) == 0; // assert ((int)ce & M30) == 0; @@ -533,14 +530,12 @@ public abstract class Mod for (i = 1; i < len30; ++i) { + mi = M[i]; di = D[i]; ei = E[i]; - cd += (long)u * di + (long)v * ei; - ce += (long)q * di + (long)r * ei; - - cd += (long)M[i] * md; - ce += (long)M[i] * me; + cd += (long)u * di + (long)v * ei + (long)mi * md; + ce += (long)q * di + (long)r * ei + (long)mi * me; D[i - 1] = (int)cd & M30; cd >>= 30; E[i - 1] = (int)ce & M30; ce >>= 30; diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/crypto/ntru/NTRUSigner.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/crypto/ntru/NTRUSigner.java index 5e76ce2ff..7748fa76e 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/crypto/ntru/NTRUSigner.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/crypto/ntru/NTRUSigner.java @@ -10,8 +10,8 @@ import com.fr.third.org.bouncycastle.pqc.math.ntru.polynomial.Polynomial; /** * Signs, verifies data and generates key pairs. * @deprecated the NTRUSigner algorithm was broken in 2012 by Ducas and Nguyen. See -* -* http://www.di.ens.fr/~ducas/NTRUSign_Cryptanalysis/DucasNguyen_Learning.pdf +* +* https://www.di.ens.fr/~ducas/NTRUSign_Cryptanalysis/DucasNguyen_Learning.pdf * for details. */ public class NTRUSigner diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/crypto/rainbow/Layer.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/crypto/rainbow/Layer.java index bdf5cc636..0cf450a57 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/crypto/rainbow/Layer.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/crypto/rainbow/Layer.java @@ -20,7 +20,7 @@ import com.fr.third.org.bouncycastle.util.Arrays; ** More information about the layer can be found in the paper of Jintai Ding, * Dieter Schmidt: Rainbow, a New Multivariable Polynomial Signature Scheme. - * ACNS 2005: 164-175 (http://dx.doi.org/10.1007/11496137_12) + * ACNS 2005: 164-175 (https://dx.doi.org/10.1007/11496137_12) */ public class Layer { diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/crypto/rainbow/RainbowKeyPairGenerator.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/crypto/rainbow/RainbowKeyPairGenerator.java index de79fdce8..ab89b7694 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/crypto/rainbow/RainbowKeyPairGenerator.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/crypto/rainbow/RainbowKeyPairGenerator.java @@ -16,7 +16,7 @@ import com.fr.third.org.bouncycastle.pqc.crypto.rainbow.util.GF2Field; *
* Detailed information about the key generation is to be found in the paper of * Jintai Ding, Dieter Schmidt: Rainbow, a New Multivariable Polynomial - * Signature Scheme. ACNS 2005: 164-175 (http://dx.doi.org/10.1007/11496137_12) + * Signature Scheme. ACNS 2005: 164-175 (https://dx.doi.org/10.1007/11496137_12) */ public class RainbowKeyPairGenerator implements AsymmetricCipherKeyPairGenerator diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/crypto/rainbow/RainbowSigner.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/crypto/rainbow/RainbowSigner.java index 37447d1e2..0842f368d 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/crypto/rainbow/RainbowSigner.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/crypto/rainbow/RainbowSigner.java @@ -17,7 +17,7 @@ import com.fr.third.org.bouncycastle.pqc.crypto.rainbow.util.GF2Field; * Detailed information about the signature and the verify-method is to be found * in the paper of Jintai Ding, Dieter Schmidt: Rainbow, a New Multivariable * Polynomial Signature Scheme. ACNS 2005: 164-175 - * (http://dx.doi.org/10.1007/11496137_12) + * (https://dx.doi.org/10.1007/11496137_12) */ public class RainbowSigner implements MessageSigner diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/jcajce/provider/mceliece/McEliecePKCSCipherSpi.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/jcajce/provider/mceliece/McEliecePKCSCipherSpi.java index 37c952f77..41a459d57 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/jcajce/provider/mceliece/McEliecePKCSCipherSpi.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/jcajce/provider/mceliece/McEliecePKCSCipherSpi.java @@ -66,7 +66,7 @@ public class McEliecePKCSCipherSpi } catch (Exception e) { - e.printStackTrace(); + throw new IllegalBlockSizeException(e.getMessage()); } return output; } @@ -81,7 +81,7 @@ public class McEliecePKCSCipherSpi } catch (Exception e) { - e.printStackTrace(); + throw new IllegalBlockSizeException(e.getMessage()); } return output; } diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/jcajce/provider/rainbow/BCRainbowPrivateKey.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/jcajce/provider/rainbow/BCRainbowPrivateKey.java index c6aacb97d..d022be569 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/jcajce/provider/rainbow/BCRainbowPrivateKey.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/jcajce/provider/rainbow/BCRainbowPrivateKey.java @@ -25,7 +25,7 @@ import com.fr.third.org.bouncycastle.pqc.jcajce.spec.RainbowPrivateKeySpec; *
* More detailed information about the private key is to be found in the paper * of Jintai Ding, Dieter Schmidt: Rainbow, a New Multivariable Polynomial - * Signature Scheme. ACNS 2005: 164-175 (http://dx.doi.org/10.1007/11496137_12) + * Signature Scheme. ACNS 2005: 164-175 (https://dx.doi.org/10.1007/11496137_12) *
*/ public class BCRainbowPrivateKey diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/jcajce/provider/rainbow/BCRainbowPublicKey.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/jcajce/provider/rainbow/BCRainbowPublicKey.java index 5fdedb111..2a6904fdf 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/jcajce/provider/rainbow/BCRainbowPublicKey.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/jcajce/provider/rainbow/BCRainbowPublicKey.java @@ -27,7 +27,7 @@ import com.fr.third.org.bouncycastle.util.Arrays; ** More detailed information on the public key is to be found in the paper of * Jintai Ding, Dieter Schmidt: Rainbow, a New Multivariable Polynomial - * Signature Scheme. ACNS 2005: 164-175 (http://dx.doi.org/10.1007/11496137_12) + * Signature Scheme. ACNS 2005: 164-175 (https://dx.doi.org/10.1007/11496137_12) *
*/ public class BCRainbowPublicKey diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/jcajce/spec/RainbowParameterSpec.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/jcajce/spec/RainbowParameterSpec.java index d62852292..55196e2b3 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/jcajce/spec/RainbowParameterSpec.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/jcajce/spec/RainbowParameterSpec.java @@ -11,7 +11,7 @@ import com.fr.third.org.bouncycastle.util.Arrays; * More detailed information about the needed parameters for the Rainbow * Signature Scheme is to be found in the paper of Jintai Ding, Dieter Schmidt: * Rainbow, a New Multivariable Polynomial Signature Scheme. ACNS 2005: 164-175 - * (http://dx.doi.org/10.1007/11496137_12) + * (https://dx.doi.org/10.1007/11496137_12) *null
. */ - private final Collection findCRLs(X509CRLStoreSelector crlSelect, - List crlStores) throws AnnotatedException + private static void findCRLs(HashSet crls, X509CRLStoreSelector crlSelect, List crlStores) throws AnnotatedException { - Set crls = new HashSet(); - Iterator iter = crlStores.iterator(); - AnnotatedException lastException = null; boolean foundValidStore = false; + Iterator iter = crlStores.iterator(); while (iter.hasNext()) { Object obj = iter.next(); - if (obj instanceof X509Store) { X509Store store = (X509Store)obj; - try { crls.addAll(store.getMatches(crlSelect)); @@ -123,14 +62,12 @@ class PKIXCRLUtil } catch (StoreException e) { - lastException = new AnnotatedException( - "Exception searching in X.509 CRL store.", e); + lastException = new AnnotatedException("Exception searching in X.509 CRL store.", e); } } else { CertStore store = (CertStore)obj; - try { crls.addAll(store.getCRLs(crlSelect)); @@ -138,8 +75,7 @@ class PKIXCRLUtil } catch (CertStoreException e) { - lastException = new AnnotatedException( - "Exception searching in X.509 CRL store.", e); + lastException = new AnnotatedException("Exception searching in X.509 CRL store.", e); } } } @@ -147,7 +83,5 @@ class PKIXCRLUtil { throw lastException; } - return crls; } - -} \ No newline at end of file +} diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/x509/PKIXCertPathReviewer.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/x509/PKIXCertPathReviewer.java index 5d891968d..38a83a50c 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/x509/PKIXCertPathReviewer.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/x509/PKIXCertPathReviewer.java @@ -75,6 +75,7 @@ import com.fr.third.org.bouncycastle.jce.provider.PKIXNameConstraintValidator; import com.fr.third.org.bouncycastle.jce.provider.PKIXNameConstraintValidatorException; import com.fr.third.org.bouncycastle.jce.provider.PKIXPolicyNode; import com.fr.third.org.bouncycastle.util.Integers; +import com.fr.third.org.bouncycastle.util.Objects; /** * PKIXCertPathReviewer
@@ -95,6 +96,7 @@ public class PKIXCertPathReviewer extends CertPathValidatorUtilities protected PKIXParameters pkixParams; + protected Date currentDate; protected Date validDate; // state variables @@ -152,7 +154,8 @@ public class PKIXCertPathReviewer extends CertPathValidatorUtilities // b) - validDate = getValidDate(pkixParams); + currentDate = new Date(); + validDate = getValidityDate(pkixParams, currentDate); // c) part of pkixParams @@ -699,7 +702,7 @@ public class PKIXCertPathReviewer extends CertPathValidatorUtilities // validation date { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.certPathValidDate", - new Object[] {new TrustedInput(validDate), new TrustedInput(new Date())}); + new Object[] {new TrustedInput(validDate), new TrustedInput(currentDate)}); addNotification(msg); } @@ -2044,13 +2047,13 @@ public class PKIXCertPathReviewer extends CertPathValidatorUtilities Iterator crl_iter; try { - Collection crl_coll = CRL_UTIL.findCRLs(crlselect, paramsPKIX); + Collection crl_coll = PKIXCRLUtil.findCRLs(crlselect, paramsPKIX); crl_iter = crl_coll.iterator(); if (crl_coll.isEmpty()) { - // notifcation - no local crls found - crl_coll = CRL_UTIL.findCRLs(new X509CRLStoreSelector(),paramsPKIX); + // notification - no local crls found + crl_coll = PKIXCRLUtil.findCRLs(new X509CRLStoreSelector(),paramsPKIX); Iterator it = crl_coll.iterator(); List nonMatchingCrlNames = new ArrayList(); while (it.hasNext()) @@ -2065,7 +2068,6 @@ public class PKIXCertPathReviewer extends CertPathValidatorUtilities Integers.valueOf(numbOfCrls)}); addNotification(msg,index); } - } catch (AnnotatedException ae) { @@ -2074,35 +2076,35 @@ public class PKIXCertPathReviewer extends CertPathValidatorUtilities addError(msg,index); crl_iter = new ArrayList().iterator(); } + boolean validCrlFound = false; X509CRL crl = null; while (crl_iter.hasNext()) { crl = (X509CRL)crl_iter.next(); - - if (crl.getNextUpdate() == null - || paramsPKIX.getDate().before(crl.getNextUpdate())) + + Date thisUpdate = crl.getThisUpdate(); + Date nextUpdate = crl.getNextUpdate(); + Object[] arguments = new Object[]{ new TrustedInput(thisUpdate), new TrustedInput(nextUpdate) }; + + if (nextUpdate == null || validDate.before(crl.getNextUpdate())) { validCrlFound = true; - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, - "CertPathReviewer.localValidCRL", - new Object[] {new TrustedInput(crl.getThisUpdate()), new TrustedInput(crl.getNextUpdate())}); + ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.localValidCRL", arguments); addNotification(msg,index); break; } - else - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, - "CertPathReviewer.localInvalidCRL", - new Object[] {new TrustedInput(crl.getThisUpdate()), new TrustedInput(crl.getNextUpdate())}); - addNotification(msg,index); - } + + ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.localInvalidCRL", arguments); + addNotification(msg,index); } - + // if no valid crl was found in the CertStores try to get one from a // crl distribution point if (!validCrlFound) { + X500Principal certIssuer = cert.getIssuerX500Principal(); + X509CRL onlineCRL = null; Iterator urlIt = crlDistPointUrls.iterator(); while (urlIt.hasNext()) @@ -2113,40 +2115,36 @@ public class PKIXCertPathReviewer extends CertPathValidatorUtilities onlineCRL = getCRL(location); if (onlineCRL != null) { + X500Principal crlIssuer = onlineCRL.getIssuerX500Principal(); + // check if crl issuer is correct - if (!cert.getIssuerX500Principal().equals(onlineCRL.getIssuerX500Principal())) + if (!certIssuer.equals(crlIssuer)) { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, - "CertPathReviewer.onlineCRLWrongCA", - new Object[] {new UntrustedInput(onlineCRL.getIssuerX500Principal().getName()), - new UntrustedInput(cert.getIssuerX500Principal().getName()), - new UntrustedUrlInput(location)}); + ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.onlineCRLWrongCA", + new Object[]{ new UntrustedInput(crlIssuer.getName()), new UntrustedInput(certIssuer.getName()), + new UntrustedUrlInput(location) }); addNotification(msg,index); continue; } - - if (onlineCRL.getNextUpdate() == null - || pkixParams.getDate().before(onlineCRL.getNextUpdate())) + + Date thisUpdate = onlineCRL.getThisUpdate(); + Date nextUpdate = onlineCRL.getNextUpdate(); + Object[] arguments = new Object[]{ new TrustedInput(thisUpdate), new TrustedInput(nextUpdate), + new UntrustedUrlInput(location) }; + + if (nextUpdate == null || validDate.before(nextUpdate)) { validCrlFound = true; - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, - "CertPathReviewer.onlineValidCRL", - new Object[] {new TrustedInput(onlineCRL.getThisUpdate()), - new TrustedInput(onlineCRL.getNextUpdate()), - new UntrustedUrlInput(location)}); - addNotification(msg,index); + ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.onlineValidCRL", + arguments); + addNotification(msg, index); crl = onlineCRL; break; } - else - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, - "CertPathReviewer.onlineInvalidCRL", - new Object[] {new TrustedInput(onlineCRL.getThisUpdate()), - new TrustedInput(onlineCRL.getNextUpdate()), - new UntrustedUrlInput(location)}); - addNotification(msg,index); - } + + ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.onlineInvalidCRL", + arguments); + addNotification(msg, index); } } catch (CertPathReviewerException cpre) @@ -2242,11 +2240,12 @@ public class PKIXCertPathReviewer extends CertPathValidatorUtilities // // warn if a new crl is available // - if (crl.getNextUpdate() != null && crl.getNextUpdate().before(pkixParams.getDate())) + Date nextUpdate = crl.getNextUpdate(); + if (!(nextUpdate == null || validDate.before(nextUpdate))) { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlUpdateAvailable", - new Object[] {new TrustedInput(crl.getNextUpdate())}); - addNotification(msg,index); + ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.crlUpdateAvailable", + new Object[]{ new TrustedInput(nextUpdate) }); + addNotification(msg, index); } // @@ -2302,7 +2301,7 @@ public class PKIXCertPathReviewer extends CertPathValidatorUtilities Iterator it; try { - it = CRL_UTIL.findCRLs(baseSelect, paramsPKIX).iterator(); + it = PKIXCRLUtil.findCRLs(baseSelect, paramsPKIX).iterator(); } catch (AnnotatedException ae) { @@ -2323,25 +2322,14 @@ public class PKIXCertPathReviewer extends CertPathValidatorUtilities ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.distrPtExtError"); throw new CertPathReviewerException(msg,ae); } - - if (idp == null) - { - if (baseIdp == null) - { - foundBase = true; - break; - } - } - else + + if (Objects.areEqual(idp, baseIdp)) { - if (idp.equals(baseIdp)) - { - foundBase = true; - break; - } + foundBase = true; + break; } } - + if (!foundBase) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.noBaseCRL"); @@ -2388,7 +2376,6 @@ public class PKIXCertPathReviewer extends CertPathValidatorUtilities ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.noValidCrlFound"); throw new CertPathReviewerException(msg); } - } protected Vector getCRLDistUrls(CRLDistPoint crlDistPoints) diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/x509/util/LDAPStoreHelper.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/x509/util/LDAPStoreHelper.java index 6074a4b7b..b7ef10c4a 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/x509/util/LDAPStoreHelper.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/x509/util/LDAPStoreHelper.java @@ -56,7 +56,7 @@ import com.fr.third.org.bouncycastle.x509.X509CertificatePair; ** For the used schemes see: *