Search in sources :

Example 16 with CertificateList

use of com.beanit.asn1bean.compiler.pkix1explicit88.CertificateList in project XobotOS by xamarin.

the class CertPathValidatorUtilities method getCertStatus.

protected static void getCertStatus(Date validDate, X509CRL crl, Object cert, CertStatus certStatus) throws AnnotatedException {
    // use BC X509CRLObject so that indirect CRLs are supported
    X509CRLObject bcCRL = null;
    try {
        bcCRL = new X509CRLObject(new CertificateList((ASN1Sequence) ASN1Sequence.fromByteArray(crl.getEncoded())));
    } catch (Exception exception) {
        throw new AnnotatedException("Bouncy Castle X509CRLObject could not be created.", exception);
    }
    // use BC X509CRLEntryObject, so that getCertificateIssuer() is
    // supported.
    X509CRLEntryObject crl_entry = (X509CRLEntryObject) bcCRL.getRevokedCertificate(getSerialNumber(cert));
    if (crl_entry != null && (getEncodedIssuerPrincipal(cert).equals(crl_entry.getCertificateIssuer()) || getEncodedIssuerPrincipal(cert).equals(getIssuerPrincipal(crl)))) {
        DEREnumerated reasonCode = null;
        if (crl_entry.hasExtensions()) {
            try {
                reasonCode = DEREnumerated.getInstance(CertPathValidatorUtilities.getExtensionValue(crl_entry, X509Extensions.ReasonCode.getId()));
            } catch (Exception e) {
                new AnnotatedException("Reason code CRL entry extension could not be decoded.", e);
            }
        }
        // unspecified
        if (!(validDate.getTime() < crl_entry.getRevocationDate().getTime()) || reasonCode == null || reasonCode.getValue().intValue() == 0 || reasonCode.getValue().intValue() == 1 || reasonCode.getValue().intValue() == 2 || reasonCode.getValue().intValue() == 8) {
            // (i) or (j) (1)
            if (reasonCode != null) {
                certStatus.setCertStatus(reasonCode.getValue().intValue());
            } else // (i) or (j) (2)
            {
                certStatus.setCertStatus(CRLReason.unspecified);
            }
            certStatus.setRevocationDate(crl_entry.getRevocationDate());
        }
    }
}
Also used : DEREnumerated(org.bouncycastle.asn1.DEREnumerated) CertificateList(org.bouncycastle.asn1.x509.CertificateList) GeneralSecurityException(java.security.GeneralSecurityException) CertPathValidatorException(java.security.cert.CertPathValidatorException) ParseException(java.text.ParseException) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) CertStoreException(java.security.cert.CertStoreException) CertificateParsingException(java.security.cert.CertificateParsingException) StoreException(org.bouncycastle.util.StoreException) IOException(java.io.IOException)

Example 17 with CertificateList

use of com.beanit.asn1bean.compiler.pkix1explicit88.CertificateList in project XobotOS by xamarin.

the class X509CertFactoryImpl method engineGenerateCRLs.

/**
     * @see java.security.cert.CertificateFactorySpi#engineGenerateCRLs(InputStream)
     * method documentation for more info
     */
public Collection<? extends CRL> engineGenerateCRLs(InputStream inStream) throws CRLException {
    if (inStream == null) {
        throw new CRLException("inStream == null");
    }
    ArrayList<CRL> result = new ArrayList<CRL>();
    try {
        if (!inStream.markSupported()) {
            inStream = new RestoringInputStream(inStream);
        }
        // if it is PEM encoded form this array will contain the encoding
        // so ((it is PEM) <-> (encoding != null))
        byte[] encoding = null;
        // The following by SEQUENCE ASN.1 tag, used for
        // recognizing the data format
        // (is it PKCS7 ContentInfo structure, X.509 CRL, or
        // unsupported encoding)
        int second_asn1_tag = -1;
        inStream.mark(1);
        int ch;
        while ((ch = inStream.read()) != -1) {
            // check if it is PEM encoded form
            if (ch == '-') {
                // beginning of PEM encoding ('-' char)
                // decode PEM chunk and store its content (ASN.1 encoding)
                encoding = decodePEM(inStream, FREE_BOUND_SUFFIX);
            } else if (ch == 0x30) {
                // beginning of ASN.1 sequence (0x30)
                encoding = null;
                inStream.reset();
                // prepare for data format determination
                inStream.mark(CRL_CACHE_SEED_LENGTH);
            } else {
                // unsupported data
                if (result.size() == 0) {
                    throw new CRLException("Unsupported encoding");
                } else {
                    // it can be trailing user data,
                    // so keep it in the stream
                    inStream.reset();
                    return result;
                }
            }
            // Check the data format
            BerInputStream in = (encoding == null) ? new BerInputStream(inStream) : new BerInputStream(encoding);
            // read the next ASN.1 tag
            second_asn1_tag = in.next();
            if (encoding == null) {
                // keep whole structure in the stream
                inStream.reset();
            }
            // check if it is a TBSCertList structure
            if (second_asn1_tag != ASN1Constants.TAG_C_SEQUENCE) {
                if (result.size() == 0) {
                    // whether it is PKCS7 structure
                    break;
                } else {
                    // so return what we already read
                    return result;
                }
            } else {
                if (encoding == null) {
                    result.add(getCRL(inStream));
                } else {
                    result.add(getCRL(encoding));
                }
            }
            inStream.mark(1);
        }
        if (result.size() != 0) {
            // the stream was read out
            return result;
        } else if (ch == -1) {
            throw new CRLException("There is no data in the stream");
        }
        // else: check if it is PKCS7
        if (second_asn1_tag == ASN1Constants.TAG_OID) {
            // it is PKCS7 ContentInfo structure, so decode it
            ContentInfo info = (ContentInfo) ((encoding != null) ? ContentInfo.ASN1.decode(encoding) : ContentInfo.ASN1.decode(inStream));
            // retrieve SignedData
            SignedData data = info.getSignedData();
            if (data == null) {
                throw new CRLException("Invalid PKCS7 data provided");
            }
            List<CertificateList> crls = data.getCRLs();
            if (crls != null) {
                for (CertificateList crl : crls) {
                    result.add(new X509CRLImpl(crl));
                }
            }
            return result;
        }
        // else: Unknown data format
        throw new CRLException("Unsupported encoding");
    } catch (IOException e) {
        throw new CRLException(e);
    }
}
Also used : SignedData(org.apache.harmony.security.pkcs7.SignedData) ArrayList(java.util.ArrayList) CertificateList(org.apache.harmony.security.x509.CertificateList) IOException(java.io.IOException) ContentInfo(org.apache.harmony.security.pkcs7.ContentInfo) X509CRL(java.security.cert.X509CRL) CRL(java.security.cert.CRL) BerInputStream(org.apache.harmony.security.asn1.BerInputStream) CRLException(java.security.cert.CRLException)

Example 18 with CertificateList

use of com.beanit.asn1bean.compiler.pkix1explicit88.CertificateList in project xipki by xipki.

the class X509CmpRequestor method evaluateCrlResponse.

private X509CRL evaluateCrlResponse(PkiResponse response, Integer xipkiAction) throws CmpRequestorException, PkiErrorException {
    ParamUtil.requireNonNull("response", response);
    checkProtection(response);
    PKIBody respBody = response.getPkiMessage().getBody();
    int bodyType = respBody.getType();
    if (PKIBody.TYPE_ERROR == bodyType) {
        ErrorMsgContent content = ErrorMsgContent.getInstance(respBody.getContent());
        throw new PkiErrorException(content.getPKIStatusInfo());
    } else if (PKIBody.TYPE_GEN_REP != bodyType) {
        throw new CmpRequestorException(String.format("unknown PKI body type %s instead the expected [%s, %s]", bodyType, PKIBody.TYPE_GEN_REP, PKIBody.TYPE_ERROR));
    }
    ASN1ObjectIdentifier expectedType = (xipkiAction == null) ? CMPObjectIdentifiers.it_currentCRL : ObjectIdentifiers.id_xipki_cmp_cmpGenmsg;
    GenRepContent genRep = GenRepContent.getInstance(respBody.getContent());
    InfoTypeAndValue[] itvs = genRep.toInfoTypeAndValueArray();
    InfoTypeAndValue itv = null;
    if (itvs != null && itvs.length > 0) {
        for (InfoTypeAndValue m : itvs) {
            if (expectedType.equals(m.getInfoType())) {
                itv = m;
                break;
            }
        }
    }
    if (itv == null) {
        throw new CmpRequestorException("the response does not contain InfoTypeAndValue " + expectedType);
    }
    ASN1Encodable certListAsn1Object = (xipkiAction == null) ? itv.getInfoValue() : extractXiActionContent(itv.getInfoValue(), xipkiAction);
    CertificateList certList = CertificateList.getInstance(certListAsn1Object);
    X509CRL crl;
    try {
        crl = X509Util.toX509Crl(certList);
    } catch (CRLException | CertificateException ex) {
        throw new CmpRequestorException("returned CRL is invalid: " + ex.getMessage());
    }
    return crl;
}
Also used : PKIBody(org.bouncycastle.asn1.cmp.PKIBody) X509CRL(java.security.cert.X509CRL) GenRepContent(org.bouncycastle.asn1.cmp.GenRepContent) CertificateList(org.bouncycastle.asn1.x509.CertificateList) CertificateException(java.security.cert.CertificateException) PkiErrorException(org.xipki.ca.client.api.PkiErrorException) InfoTypeAndValue(org.bouncycastle.asn1.cmp.InfoTypeAndValue) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) ErrorMsgContent(org.bouncycastle.asn1.cmp.ErrorMsgContent) CRLException(java.security.cert.CRLException) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)

Example 19 with CertificateList

use of com.beanit.asn1bean.compiler.pkix1explicit88.CertificateList in project candlepin by candlepin.

the class X509CRLStreamWriter method writeToEmptyCrl.

protected void writeToEmptyCrl(OutputStream out) throws IOException {
    ASN1InputStream asn1in = null;
    try {
        asn1in = new ASN1InputStream(crlIn);
        ASN1Sequence certListSeq = (ASN1Sequence) asn1in.readObject();
        CertificateList certList = CertificateList.getInstance(certListSeq);
        X509CRLHolder oldCrl = new X509CRLHolder(certList);
        X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(oldCrl.getIssuer(), new Date());
        crlBuilder.addCRL(oldCrl);
        Date now = new Date();
        Date oldNextUpdate = certList.getNextUpdate().getDate();
        Date oldThisUpdate = certList.getThisUpdate().getDate();
        Date nextUpdate = new Date(now.getTime() + (oldNextUpdate.getTime() - oldThisUpdate.getTime()));
        crlBuilder.setNextUpdate(nextUpdate);
        for (Object o : oldCrl.getExtensionOIDs()) {
            ASN1ObjectIdentifier oid = (ASN1ObjectIdentifier) o;
            Extension ext = oldCrl.getExtension(oid);
            if (oid.equals(Extension.cRLNumber)) {
                ASN1OctetString octet = ext.getExtnValue();
                ASN1Integer currentNumber = (ASN1Integer) new ASN1InputStream(octet.getOctets()).readObject();
                ASN1Integer nextNumber = new ASN1Integer(currentNumber.getValue().add(BigInteger.ONE));
                crlBuilder.addExtension(oid, ext.isCritical(), nextNumber);
            } else if (oid.equals(Extension.authorityKeyIdentifier)) {
                crlBuilder.addExtension(oid, ext.isCritical(), ext.getParsedValue());
            }
        }
        for (DERSequence entry : newEntries) {
            // XXX: This is all a bit messy considering the user already passed in the serial, date
            // and reason.
            BigInteger serial = ((ASN1Integer) entry.getObjectAt(0)).getValue();
            Date revokeDate = ((Time) entry.getObjectAt(1)).getDate();
            int reason = CRLReason.unspecified;
            if (entry.size() == 3) {
                Extensions extensions = (Extensions) entry.getObjectAt(2);
                Extension reasonExt = extensions.getExtension(Extension.reasonCode);
                if (reasonExt != null) {
                    reason = ((ASN1Enumerated) reasonExt.getParsedValue()).getValue().intValue();
                }
            }
            crlBuilder.addCRLEntry(serial, revokeDate, reason);
        }
        if (signingAlg == null) {
            signingAlg = oldCrl.toASN1Structure().getSignatureAlgorithm();
        }
        ContentSigner s;
        try {
            s = createContentSigner(signingAlg, key);
            X509CRLHolder newCrl = crlBuilder.build(s);
            out.write(newCrl.getEncoded());
        } catch (OperatorCreationException e) {
            throw new IOException("Could not sign CRL", e);
        }
    } finally {
        IOUtils.closeQuietly(asn1in);
    }
}
Also used : ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) ASN1InputStream(org.bouncycastle.asn1.ASN1InputStream) CertificateList(org.bouncycastle.asn1.x509.CertificateList) ContentSigner(org.bouncycastle.operator.ContentSigner) DERGeneralizedTime(org.bouncycastle.asn1.DERGeneralizedTime) ASN1GeneralizedTime(org.bouncycastle.asn1.ASN1GeneralizedTime) DERUTCTime(org.bouncycastle.asn1.DERUTCTime) Time(org.bouncycastle.asn1.x509.Time) ASN1UTCTime(org.bouncycastle.asn1.ASN1UTCTime) ASN1Integer(org.bouncycastle.asn1.ASN1Integer) IOException(java.io.IOException) Extensions(org.bouncycastle.asn1.x509.Extensions) Date(java.util.Date) Extension(org.bouncycastle.asn1.x509.Extension) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) DERSequence(org.bouncycastle.asn1.DERSequence) ASN1Enumerated(org.bouncycastle.asn1.ASN1Enumerated) X509CRLHolder(org.bouncycastle.cert.X509CRLHolder) BigInteger(java.math.BigInteger) X509v2CRLBuilder(org.bouncycastle.cert.X509v2CRLBuilder) ASN1Object(org.bouncycastle.asn1.ASN1Object) ASN1TaggedObject(org.bouncycastle.asn1.ASN1TaggedObject) DERTaggedObject(org.bouncycastle.asn1.DERTaggedObject) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)

Example 20 with CertificateList

use of com.beanit.asn1bean.compiler.pkix1explicit88.CertificateList in project jasn1 by openmuc.

the class LoadCRLRequest method decode.

public int decode(InputStream is, boolean withTag) throws IOException {
    int tlByteCount = 0;
    int vByteCount = 0;
    BerTag berTag = new BerTag();
    if (withTag) {
        tlByteCount += tag.decodeAndCheck(is);
    }
    BerLength length = new BerLength();
    tlByteCount += length.decode(is);
    int lengthVal = length.val;
    vByteCount += berTag.decode(is);
    if (berTag.equals(BerTag.CONTEXT_CLASS, BerTag.CONSTRUCTED, 0)) {
        crl = new CertificateList();
        vByteCount += crl.decode(is, false);
        if (lengthVal >= 0 && vByteCount == lengthVal) {
            return tlByteCount + vByteCount;
        }
        vByteCount += berTag.decode(is);
    } else {
        throw new IOException("Tag does not match mandatory sequence component.");
    }
    if (lengthVal < 0) {
        while (!berTag.equals(0, 0, 0)) {
            vByteCount += DecodeUtil.decodeUnknownComponent(is);
            vByteCount += berTag.decode(is);
        }
        vByteCount += BerLength.readEocByte(is);
        return tlByteCount + vByteCount;
    } else {
        while (vByteCount < lengthVal) {
            vByteCount += DecodeUtil.decodeUnknownComponent(is);
            if (vByteCount == lengthVal) {
                return tlByteCount + vByteCount;
            }
            vByteCount += berTag.decode(is);
        }
    }
    throw new IOException("Unexpected end of sequence, length tag: " + lengthVal + ", bytes decoded: " + vByteCount);
}
Also used : CertificateList(com.beanit.asn1bean.compiler.pkix1explicit88.CertificateList) IOException(java.io.IOException)

Aggregations

CertificateList (org.bouncycastle.asn1.x509.CertificateList)13 IOException (java.io.IOException)9 Test (org.junit.jupiter.api.Test)8 CRLException (java.security.cert.CRLException)6 X509CRL (java.security.cert.X509CRL)5 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)5 X509CRLHolder (org.bouncycastle.cert.X509CRLHolder)5 OperationException (org.xipki.ca.api.OperationException)5 DefaultCertManagerClient (io.fabric8.certmanager.client.DefaultCertManagerClient)4 NamespacedCertManagerClient (io.fabric8.certmanager.client.NamespacedCertManagerClient)4 CertificateList (io.fabric8.certmanager.api.model.v1.CertificateList)3 CertificateList (io.fabric8.certmanager.api.model.v1alpha2.CertificateList)3 CertificateList (io.fabric8.certmanager.api.model.v1alpha3.CertificateList)3 CertificateList (io.fabric8.certmanager.api.model.v1beta1.CertificateList)3 BigInteger (java.math.BigInteger)3 ArrayList (java.util.ArrayList)3 Date (java.util.Date)3 CertificateList (com.beanit.asn1bean.compiler.pkix1explicit88.CertificateList)2 Certificate (io.fabric8.certmanager.api.model.v1.Certificate)2 CertificateBuilder (io.fabric8.certmanager.api.model.v1.CertificateBuilder)2