Example 11 with ASN1Set
use of com.android.org.bouncycastle.asn1.ASN1Set in project xipki by xipki.
the class ImportCrl method importEntries.
private void importEntries(Connection conn, int caId) throws DataAccessException, ImportCrlException {
AtomicLong maxId = new AtomicLong(datasource.getMax(conn, "CERT", "ID"));
// import the revoked information
Set<? extends X509CRLEntry> revokedCertList = crl.getRevokedCertificates();
if (revokedCertList != null) {
for (X509CRLEntry c : revokedCertList) {
X500Principal issuer = c.getCertificateIssuer();
BigInteger serial = c.getSerialNumber();
if (issuer != null) {
if (!x500PrincipalCaSubject.equals(issuer)) {
throw new ImportCrlException("invalid CRLEntry for certificate number " + serial);
}
}
Date rt = c.getRevocationDate();
Date rit = null;
byte[] extnValue = c.getExtensionValue(Extension.invalidityDate.getId());
if (extnValue != null) {
extnValue = extractCoreValue(extnValue);
ASN1GeneralizedTime genTime = DERGeneralizedTime.getInstance(extnValue);
try {
rit = genTime.getDate();
} catch (ParseException ex) {
throw new ImportCrlException(ex.getMessage(), ex);
}
if (rt.equals(rit)) {
rit = null;
}
}
CrlReason reason = CrlReason.fromReason(c.getRevocationReason());
String sql = null;
try {
if (reason == CrlReason.REMOVE_FROM_CRL) {
if (!isDeltaCrl) {
LOG.warn("ignore CRL entry with reason removeFromCRL in non-Delta CRL");
}
// delete the entry
sql = SQL_DELETE_CERT;
psDeleteCert.setInt(1, caId);
psDeleteCert.setString(2, serial.toString(16));
psDeleteCert.executeUpdate();
continue;
}
Long id = getId(caId, serial);
PreparedStatement ps;
int offset = 1;
if (id == null) {
sql = SQL_INSERT_CERT_REV;
id = maxId.incrementAndGet();
ps = psInsertCertRev;
ps.setLong(offset++, id);
ps.setInt(offset++, caId);
ps.setString(offset++, serial.toString(16));
} else {
sql = SQL_UPDATE_CERT_REV;
ps = psUpdateCertRev;
}
ps.setInt(offset++, 1);
ps.setInt(offset++, reason.getCode());
ps.setLong(offset++, rt.getTime() / 1000);
if (rit != null) {
ps.setLong(offset++, rit.getTime() / 1000);
} else {
ps.setNull(offset++, Types.BIGINT);
}
ps.setLong(offset++, System.currentTimeMillis() / 1000);
if (ps == psUpdateCertRev) {
ps.setLong(offset++, id);
}
ps.executeUpdate();
} catch (SQLException ex) {
throw datasource.translate(sql, ex);
}
}
}
// import the certificates
// extract the certificate
byte[] extnValue = crl.getExtensionValue(ObjectIdentifiers.id_xipki_ext_crlCertset.getId());
if (extnValue != null) {
extnValue = extractCoreValue(extnValue);
ASN1Set asn1Set = DERSet.getInstance(extnValue);
final int n = asn1Set.size();
for (int i = 0; i < n; i++) {
ASN1Encodable asn1 = asn1Set.getObjectAt(i);
ASN1Sequence seq = ASN1Sequence.getInstance(asn1);
BigInteger serialNumber = ASN1Integer.getInstance(seq.getObjectAt(0)).getValue();
Certificate cert = null;
String profileName = null;
final int size = seq.size();
for (int j = 1; j < size; j++) {
ASN1TaggedObject taggedObj = DERTaggedObject.getInstance(seq.getObjectAt(j));
int tagNo = taggedObj.getTagNo();
switch(tagNo) {
case 0:
cert = Certificate.getInstance(taggedObj.getObject());
break;
case 1:
profileName = DERUTF8String.getInstance(taggedObj.getObject()).getString();
break;
default:
break;
}
}
if (cert == null) {
continue;
}
if (!caSubject.equals(cert.getIssuer())) {
LOG.warn("issuer not match (serial={}) in CRL Extension Xipki-CertSet, ignore it", LogUtil.formatCsn(serialNumber));
continue;
}
if (!serialNumber.equals(cert.getSerialNumber().getValue())) {
LOG.warn("serialNumber not match (serial={}) in CRL Extension Xipki-CertSet, ignore it", LogUtil.formatCsn(serialNumber));
continue;
}
String certLogId = "(issuer='" + cert.getIssuer() + "', serialNumber=" + cert.getSerialNumber() + ")";
addCertificate(maxId, caId, cert, profileName, certLogId);
}
} else {
// cert dirs
File certsDir = new File(certsDirName);
if (!certsDir.exists()) {
LOG.warn("the folder {} does not exist, ignore it", certsDirName);
return;
}
if (!certsDir.isDirectory()) {
LOG.warn("the path {} does not point to a folder, ignore it", certsDirName);
return;
}
if (!certsDir.canRead()) {
LOG.warn("the folder {} must not be read, ignore it", certsDirName);
return;
}
File[] certFiles = certsDir.listFiles(new FilenameFilter() {
@Override
public boolean accept(File dir, String name) {
return name.endsWith(".der") || name.endsWith(".crt");
}
});
if (certFiles == null || certFiles.length == 0) {
return;
}
for (File certFile : certFiles) {
Certificate cert;
try {
byte[] encoded = IoUtil.read(certFile);
cert = Certificate.getInstance(encoded);
} catch (IllegalArgumentException | IOException ex) {
LOG.warn("could not parse certificate {}, ignore it", certFile.getPath());
continue;
}
String certLogId = "(file " + certFile.getName() + ")";
addCertificate(maxId, caId, cert, null, certLogId);
}
}
}
Also used :
SQLException(java.sql.SQLException)
ASN1TaggedObject(org.bouncycastle.asn1.ASN1TaggedObject)
ASN1GeneralizedTime(org.bouncycastle.asn1.ASN1GeneralizedTime)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
FilenameFilter(java.io.FilenameFilter)
X509CRLEntry(java.security.cert.X509CRLEntry)
CrlReason(org.xipki.security.CrlReason)
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
PreparedStatement(java.sql.PreparedStatement)
IOException(java.io.IOException)
Date(java.util.Date)
AtomicLong(java.util.concurrent.atomic.AtomicLong)
ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence)
ASN1Set(org.bouncycastle.asn1.ASN1Set)
AtomicLong(java.util.concurrent.atomic.AtomicLong)
X500Principal(javax.security.auth.x500.X500Principal)
BigInteger(java.math.BigInteger)
ParseException(java.text.ParseException)
File(java.io.File)
X509Certificate(java.security.cert.X509Certificate)
Certificate(org.bouncycastle.asn1.x509.Certificate)
TBSCertificate(org.bouncycastle.asn1.x509.TBSCertificate)
Example 12 with ASN1Set
use of com.android.org.bouncycastle.asn1.ASN1Set in project xipki by xipki.
the class X509SelfSignedCertBuilder method generateCertificate.
// method generateSelfSigned
private static X509Certificate generateCertificate(ConcurrentContentSigner signer, IdentifiedX509Certprofile certprofile, CertificationRequest csr, BigInteger serialNumber, SubjectPublicKeyInfo publicKeyInfo, List<String> caCertUris, List<String> ocspUris, List<String> crlUris, List<String> deltaCrlUris, ConfPairs extraControl) throws OperationException {
SubjectPublicKeyInfo tmpPublicKeyInfo;
try {
tmpPublicKeyInfo = X509Util.toRfc3279Style(publicKeyInfo);
} catch (InvalidKeySpecException ex) {
LOG.warn("SecurityUtil.toRfc3279Style", ex);
throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, ex);
}
try {
certprofile.checkPublicKey(tmpPublicKeyInfo);
} catch (BadCertTemplateException ex) {
LOG.warn("certprofile.checkPublicKey", ex);
throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, ex);
}
X500Name requestedSubject = csr.getCertificationRequestInfo().getSubject();
SubjectInfo subjectInfo;
// subject
try {
subjectInfo = certprofile.getSubject(requestedSubject);
} catch (CertprofileException ex) {
throw new OperationException(ErrorCode.SYSTEM_FAILURE, "exception in cert profile " + certprofile.getIdent());
} catch (BadCertTemplateException ex) {
LOG.warn("certprofile.getSubject", ex);
throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, ex);
}
Date notBefore = certprofile.getNotBefore(null);
if (notBefore == null) {
notBefore = new Date();
}
CertValidity validity = certprofile.getValidity();
if (validity == null) {
throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, "no validity specified in the profile " + certprofile.getIdent());
}
Date notAfter = validity.add(notBefore);
X500Name grantedSubject = subjectInfo.getGrantedSubject();
X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(grantedSubject, serialNumber, notBefore, notAfter, grantedSubject, tmpPublicKeyInfo);
PublicCaInfo publicCaInfo = new PublicCaInfo(grantedSubject, serialNumber, null, null, caCertUris, ocspUris, crlUris, deltaCrlUris, extraControl);
Extensions extensions = null;
ASN1Set attrs = csr.getCertificationRequestInfo().getAttributes();
for (int i = 0; i < attrs.size(); i++) {
Attribute attr = Attribute.getInstance(attrs.getObjectAt(i));
if (PKCSObjectIdentifiers.pkcs_9_at_extensionRequest.equals(attr.getAttrType())) {
extensions = Extensions.getInstance(attr.getAttributeValues()[0]);
}
}
try {
addExtensions(certBuilder, certprofile, requestedSubject, grantedSubject, extensions, tmpPublicKeyInfo, publicCaInfo, notBefore, notAfter);
ConcurrentBagEntrySigner signer0 = signer.borrowSigner();
X509CertificateHolder certHolder;
try {
certHolder = certBuilder.build(signer0.value());
} finally {
signer.requiteSigner(signer0);
}
Certificate bcCert = certHolder.toASN1Structure();
return X509Util.parseCert(bcCert.getEncoded());
} catch (BadCertTemplateException ex) {
throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, ex);
} catch (NoIdleSignerException | CertificateException | IOException | CertprofileException ex) {
throw new OperationException(ErrorCode.SYSTEM_FAILURE, ex);
}
}
Also used :
CertValidity(org.xipki.ca.api.profile.CertValidity)
Attribute(org.bouncycastle.asn1.pkcs.Attribute)
SubjectInfo(org.xipki.ca.api.profile.x509.SubjectInfo)
CertificateException(java.security.cert.CertificateException)
X500Name(org.bouncycastle.asn1.x500.X500Name)
IOException(java.io.IOException)
Extensions(org.bouncycastle.asn1.x509.Extensions)
SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
PublicCaInfo(org.xipki.ca.api.PublicCaInfo)
ConcurrentBagEntrySigner(org.xipki.security.ConcurrentBagEntrySigner)
Date(java.util.Date)
ASN1Set(org.bouncycastle.asn1.ASN1Set)
CertprofileException(org.xipki.ca.api.profile.CertprofileException)
X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder)
BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
NoIdleSignerException(org.xipki.security.exception.NoIdleSignerException)
InvalidKeySpecException(java.security.spec.InvalidKeySpecException)
OperationException(org.xipki.ca.api.OperationException)
X509Certificate(java.security.cert.X509Certificate)
Certificate(org.bouncycastle.asn1.x509.Certificate)
Example 13 with ASN1Set
use of com.android.org.bouncycastle.asn1.ASN1Set in project xipki by xipki.
the class CaUtil method getExtensions.
public static Extensions getExtensions(CertificationRequestInfo csr) {
ParamUtil.requireNonNull("csr", csr);
ASN1Set attrs = csr.getAttributes();
for (int i = 0; i < attrs.size(); i++) {
Attribute attr = Attribute.getInstance(attrs.getObjectAt(i));
if (PKCSObjectIdentifiers.pkcs_9_at_extensionRequest.equals(attr.getAttrType())) {
return Extensions.getInstance(attr.getAttributeValues()[0]);
}
}
return null;
}
Also used :
ASN1Set(org.bouncycastle.asn1.ASN1Set)
Attribute(org.bouncycastle.asn1.pkcs.Attribute)
DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
Example 14 with ASN1Set
use of com.android.org.bouncycastle.asn1.ASN1Set in project xipki by xipki.
the class ScepUtil method getCrlFromPkiMessage.
// method getCertsFromSignedData
public static X509CRL getCrlFromPkiMessage(SignedData signedData) throws CRLException {
requireNonNull("signedData", signedData);
ASN1Set set = signedData.getCRLs();
if (set == null || set.size() == 0) {
return null;
}
try {
CertificateList cl = CertificateList.getInstance(set.getObjectAt(0));
return ScepUtil.toX509Crl(cl);
} catch (IllegalArgumentException | CertificateException | CRLException ex) {
throw new CRLException(ex);
}
}
Also used :
ASN1Set(org.bouncycastle.asn1.ASN1Set)
CertificateList(org.bouncycastle.asn1.x509.CertificateList)
CertificateException(java.security.cert.CertificateException)
CRLException(java.security.cert.CRLException)
Example 15 with ASN1Set
use of com.android.org.bouncycastle.asn1.ASN1Set in project xipki by xipki.
the class ExtractCertFromCrlCmd method execute0.
@Override
protected Object execute0() throws Exception {
X509CRL crl = X509Util.parseCrl(crlFile);
String oidExtnCerts = ObjectIdentifiers.id_xipki_ext_crlCertset.getId();
byte[] extnValue = crl.getExtensionValue(oidExtnCerts);
if (extnValue == null) {
throw new IllegalCmdParamException("no certificate is contained in " + crlFile);
}
extnValue = removingTagAndLenFromExtensionValue(extnValue);
ASN1Set asn1Set = DERSet.getInstance(extnValue);
final int n = asn1Set.size();
if (n == 0) {
throw new CmdFailure("no certificate is contained in " + crlFile);
}
ByteArrayOutputStream out = new ByteArrayOutputStream();
ZipOutputStream zip = new ZipOutputStream(out);
for (int i = 0; i < n; i++) {
ASN1Encodable asn1 = asn1Set.getObjectAt(i);
Certificate cert;
try {
ASN1Sequence seq = ASN1Sequence.getInstance(asn1);
cert = Certificate.getInstance(seq.getObjectAt(0));
} catch (IllegalArgumentException ex) {
// backwards compatibility
cert = Certificate.getInstance(asn1);
}
byte[] certBytes = cert.getEncoded();
String sha1FpCert = HashAlgo.SHA1.hexHash(certBytes);
ZipEntry certZipEntry = new ZipEntry(sha1FpCert + ".der");
zip.putNextEntry(certZipEntry);
try {
zip.write(certBytes);
} finally {
zip.closeEntry();
}
}
zip.flush();
zip.close();
saveVerbose("extracted " + n + " certificates to", new File(outFile), out.toByteArray());
return null;
}
Also used :
X509CRL(java.security.cert.X509CRL)
ZipEntry(java.util.zip.ZipEntry)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
ByteArrayOutputStream(java.io.ByteArrayOutputStream)
ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence)
ASN1Set(org.bouncycastle.asn1.ASN1Set)
CmdFailure(org.xipki.console.karaf.CmdFailure)
ZipOutputStream(java.util.zip.ZipOutputStream)
IllegalCmdParamException(org.xipki.console.karaf.IllegalCmdParamException)
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
File(java.io.File)
Certificate(org.bouncycastle.asn1.x509.Certificate)
Aggregations
ASN1Set (org.bouncycastle.asn1.ASN1Set)41
IOException (java.io.IOException)18
ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)14
ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)13
ArrayList (java.util.ArrayList)11
ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)11
DEROctetString (org.bouncycastle.asn1.DEROctetString)9
Enumeration (java.util.Enumeration)8
List (java.util.List)8
CertificateException (java.security.cert.CertificateException)7
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)7
KeyPair (java.security.KeyPair)6
X509Certificate (java.security.cert.X509Certificate)6
Asn1Integer (com.android.hotspot2.asn1.Asn1Integer)5
Asn1Object (com.android.hotspot2.asn1.Asn1Object)5
Asn1Oid (com.android.hotspot2.asn1.Asn1Oid)5
OidMappings (com.android.hotspot2.asn1.OidMappings)5
ASN1Encodable (com.android.org.bouncycastle.asn1.ASN1Encodable)5
ASN1EncodableVector (com.android.org.bouncycastle.asn1.ASN1EncodableVector)5
ASN1Set (com.android.org.bouncycastle.asn1.ASN1Set)5
