Example 36 with CRLDistPoint
use of com.github.zhenwei.core.asn1.x509.CRLDistPoint in project keycloak by keycloak.
the class CRLUtils method getCRLDistributionPoints.
/**
* Retrieves a list of CRL distribution points from CRLDP v3 certificate extension
* See <a href="www.nakov.com/blog/2009/12/01/x509-certificate-validation-in-java-build-and-verify-cchain-and-verify-clr-with-bouncy-castle/">CRL validation</a>
* @param cert
* @return
* @throws IOException
*/
public static List<String> getCRLDistributionPoints(X509Certificate cert) throws IOException {
byte[] data = cert.getExtensionValue(CRL_DISTRIBUTION_POINTS_OID);
if (data == null) {
return Collections.emptyList();
}
List<String> distributionPointUrls = new LinkedList<>();
DEROctetString octetString;
try (ASN1InputStream crldpExtensionInputStream = new ASN1InputStream(new ByteArrayInputStream(data))) {
octetString = (DEROctetString) crldpExtensionInputStream.readObject();
}
byte[] octets = octetString.getOctets();
CRLDistPoint crlDP;
try (ASN1InputStream crldpInputStream = new ASN1InputStream(new ByteArrayInputStream(octets))) {
crlDP = CRLDistPoint.getInstance(crldpInputStream.readObject());
}
for (DistributionPoint dp : crlDP.getDistributionPoints()) {
DistributionPointName dpn = dp.getDistributionPoint();
if (dpn != null && dpn.getType() == DistributionPointName.FULL_NAME) {
GeneralName[] names = GeneralNames.getInstance(dpn.getName()).getNames();
for (GeneralName gn : names) {
if (gn.getTagNo() == GeneralName.uniformResourceIdentifier) {
String url = DERIA5String.getInstance(gn.getName()).getString();
distributionPointUrls.add(url);
}
}
}
}
return distributionPointUrls;
}
Also used :
ASN1InputStream(org.bouncycastle.asn1.ASN1InputStream)
ByteArrayInputStream(java.io.ByteArrayInputStream)
DistributionPointName(org.bouncycastle.asn1.x509.DistributionPointName)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
LinkedList(java.util.LinkedList)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
Example 37 with CRLDistPoint
use of com.github.zhenwei.core.asn1.x509.CRLDistPoint in project LinLong-Java by zhenwei1108.
the class RFC3280CertPathUtilities method processCRLA1i.
protected static Set processCRLA1i(PKIXExtendedParameters paramsPKIX, Date currentDate, X509Certificate cert, X509CRL crl) throws AnnotatedException {
Set set = new HashSet();
if (paramsPKIX.isUseDeltasEnabled()) {
CRLDistPoint freshestCRL = null;
try {
freshestCRL = CRLDistPoint.getInstance(RevocationUtilities.getExtensionValue(cert, Extension.freshestCRL));
} catch (AnnotatedException e) {
throw new AnnotatedException("Freshest CRL extension could not be decoded from certificate.", e);
}
if (freshestCRL == null) {
try {
freshestCRL = CRLDistPoint.getInstance(RevocationUtilities.getExtensionValue(crl, Extension.freshestCRL));
} catch (AnnotatedException e) {
throw new AnnotatedException("Freshest CRL extension could not be decoded from CRL.", e);
}
}
if (freshestCRL != null) {
List crlStores = new ArrayList();
crlStores.addAll(paramsPKIX.getCRLStores());
try {
crlStores.addAll(RevocationUtilities.getAdditionalStoresFromCRLDistributionPoint(freshestCRL, paramsPKIX.getNamedCRLStoreMap()));
} catch (AnnotatedException e) {
throw new AnnotatedException("No new delta CRL locations could be added from Freshest CRL extension.", e);
}
// get delta CRL(s)
try {
set.addAll(RevocationUtilities.getDeltaCRLs(currentDate, crl, paramsPKIX.getCertStores(), crlStores));
} catch (AnnotatedException e) {
throw new AnnotatedException("Exception obtaining delta CRLs.", e);
}
}
}
return set;
}
Also used :
HashSet(java.util.HashSet)
LinkedHashSet(java.util.LinkedHashSet)
Set(java.util.Set)
ArrayList(java.util.ArrayList)
ArrayList(java.util.ArrayList)
List(java.util.List)
CRLDistPoint(com.github.zhenwei.core.asn1.x509.CRLDistPoint)
HashSet(java.util.HashSet)
LinkedHashSet(java.util.LinkedHashSet)
Example 38 with CRLDistPoint
use of com.github.zhenwei.core.asn1.x509.CRLDistPoint in project LinLong-Java by zhenwei1108.
the class RevocationUtilities method getAdditionalStoresFromCRLDistributionPoint.
static List<PKIXCRLStore> getAdditionalStoresFromCRLDistributionPoint(CRLDistPoint crldp, Map<GeneralName, PKIXCRLStore> namedCRLStoreMap) throws AnnotatedException {
if (crldp == null) {
return Collections.emptyList();
}
DistributionPoint[] dps;
try {
dps = crldp.getDistributionPoints();
} catch (Exception e) {
throw new AnnotatedException("Distribution points could not be read.", e);
}
List<PKIXCRLStore> stores = new ArrayList<PKIXCRLStore>();
for (int i = 0; i < dps.length; i++) {
DistributionPointName dpn = dps[i].getDistributionPoint();
// look for URIs in fullName
if (dpn != null && dpn.getType() == DistributionPointName.FULL_NAME) {
GeneralName[] genNames = GeneralNames.getInstance(dpn.getName()).getNames();
for (int j = 0; j < genNames.length; j++) {
PKIXCRLStore store = namedCRLStoreMap.get(genNames[j]);
if (store != null) {
stores.add(store);
}
}
}
}
return stores;
}
Also used :
ArrayList(java.util.ArrayList)
DistributionPointName(com.github.zhenwei.core.asn1.x509.DistributionPointName)
IssuingDistributionPoint(com.github.zhenwei.core.asn1.x509.IssuingDistributionPoint)
DistributionPoint(com.github.zhenwei.core.asn1.x509.DistributionPoint)
GeneralName(com.github.zhenwei.core.asn1.x509.GeneralName)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
CertStoreException(java.security.cert.CertStoreException)
CRLException(java.security.cert.CRLException)
StoreException(com.github.zhenwei.core.util.StoreException)
IOException(java.io.IOException)
IssuingDistributionPoint(com.github.zhenwei.core.asn1.x509.IssuingDistributionPoint)
CRLDistPoint(com.github.zhenwei.core.asn1.x509.CRLDistPoint)
DistributionPoint(com.github.zhenwei.core.asn1.x509.DistributionPoint)
PKIXCRLStore(com.github.zhenwei.provider.jcajce.PKIXCRLStore)
Example 39 with CRLDistPoint
use of com.github.zhenwei.core.asn1.x509.CRLDistPoint in project LinLong-Java by zhenwei1108.
the class X509RevocationChecker method checkCRLs.
/**
* Checks a certificate if it is revoked.
*
* @param pkixParams PKIX parameters.
* @param cert Certificate to check if it is revoked.
* @param validDate The date when the certificate revocation status should be checked.
* @param sign The issuer certificate of the certificate <code>cert</code>.
* @param workingPublicKey The public key of the issuer certificate <code>sign</code>.
* @param certPathCerts The certificates of the certification path.
* @throws AnnotatedException if the certificate is revoked or the status cannot be checked or
* some error occurs.
*/
protected void checkCRLs(PKIXExtendedParameters pkixParams, Date currentDate, Date validityDate, X509Certificate cert, X509Certificate sign, PublicKey workingPublicKey, List certPathCerts, JcaJceHelper helper) throws AnnotatedException, CertPathValidatorException {
CRLDistPoint crldp;
try {
crldp = CRLDistPoint.getInstance(RevocationUtilities.getExtensionValue(cert, Extension.cRLDistributionPoints));
} catch (Exception e) {
throw new AnnotatedException("cannot read CRL distribution point extension", e);
}
CertStatus certStatus = new CertStatus();
ReasonsMask reasonsMask = new ReasonsMask();
AnnotatedException lastException = null;
boolean validCrlFound = false;
// for each distribution point
if (crldp != null) {
DistributionPoint[] dps;
try {
dps = crldp.getDistributionPoints();
} catch (Exception e) {
throw new AnnotatedException("cannot read distribution points", e);
}
if (dps != null) {
PKIXExtendedParameters.Builder pkixBuilder = new PKIXExtendedParameters.Builder(pkixParams);
try {
List extras = getAdditionalStoresFromCRLDistributionPoint(crldp, pkixParams.getNamedCRLStoreMap());
for (Iterator it = extras.iterator(); it.hasNext(); ) {
pkixBuilder.addCRLStore((PKIXCRLStore) it.next());
}
} catch (AnnotatedException e) {
throw new AnnotatedException("no additional CRL locations could be decoded from CRL distribution point extension", e);
}
PKIXExtendedParameters pkixParamsFinal = pkixBuilder.build();
Date validityDateFinal = RevocationUtilities.getValidityDate(pkixParamsFinal, currentDate);
for (int i = 0; i < dps.length && certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonsMask.isAllReasons(); i++) {
try {
RFC3280CertPathUtilities.checkCRL(dps[i], pkixParamsFinal, currentDate, validityDateFinal, cert, sign, workingPublicKey, certStatus, reasonsMask, certPathCerts, helper);
validCrlFound = true;
} catch (AnnotatedException e) {
lastException = e;
}
}
}
}
if (certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonsMask.isAllReasons()) {
try {
/*
* assume a DP with both the reasons and the cRLIssuer fields
* omitted and a distribution point name of the certificate
* issuer.
*/
X500Principal issuer = cert.getIssuerX500Principal();
DistributionPoint dp = new DistributionPoint(new DistributionPointName(0, new GeneralNames(new GeneralName(GeneralName.directoryName, X500Name.getInstance(issuer.getEncoded())))), null, null);
PKIXExtendedParameters pkixParamsClone = (PKIXExtendedParameters) pkixParams.clone();
RFC3280CertPathUtilities.checkCRL(dp, pkixParamsClone, currentDate, validityDate, cert, sign, workingPublicKey, certStatus, reasonsMask, certPathCerts, helper);
validCrlFound = true;
} catch (AnnotatedException e) {
lastException = e;
}
}
if (!validCrlFound) {
if (lastException instanceof AnnotatedException) {
throw new CRLNotFoundException("no valid CRL found", lastException);
}
throw new CRLNotFoundException("no valid CRL found");
}
if (certStatus.getCertStatus() != CertStatus.UNREVOKED) {
SimpleDateFormat df = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss Z");
df.setTimeZone(TimeZone.getTimeZone("UTC"));
String message = "certificate [issuer=\"" + cert.getIssuerX500Principal() + "\",serialNumber=" + cert.getSerialNumber() + ",subject=\"" + cert.getSubjectX500Principal() + "\"] revoked after " + df.format(certStatus.getRevocationDate());
message += ", reason: " + crlReasons[certStatus.getCertStatus()];
throw new AnnotatedException(message);
}
if (!reasonsMask.isAllReasons() && certStatus.getCertStatus() == CertStatus.UNREVOKED) {
certStatus.setCertStatus(CertStatus.UNDETERMINED);
}
if (certStatus.getCertStatus() == CertStatus.UNDETERMINED) {
throw new AnnotatedException("certificate status could not be determined");
}
}
Also used :
DistributionPointName(com.github.zhenwei.core.asn1.x509.DistributionPointName)
KeyStoreException(java.security.KeyStoreException)
GeneralSecurityException(java.security.GeneralSecurityException)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
CertStoreException(java.security.cert.CertStoreException)
Date(java.util.Date)
CRLDistPoint(com.github.zhenwei.core.asn1.x509.CRLDistPoint)
DistributionPoint(com.github.zhenwei.core.asn1.x509.DistributionPoint)
PKIXExtendedParameters(com.github.zhenwei.provider.jcajce.PKIXExtendedParameters)
GeneralNames(com.github.zhenwei.core.asn1.x509.GeneralNames)
Iterator(java.util.Iterator)
X500Principal(javax.security.auth.x500.X500Principal)
List(java.util.List)
ArrayList(java.util.ArrayList)
DistributionPoint(com.github.zhenwei.core.asn1.x509.DistributionPoint)
GeneralName(com.github.zhenwei.core.asn1.x509.GeneralName)
CRLDistPoint(com.github.zhenwei.core.asn1.x509.CRLDistPoint)
SimpleDateFormat(java.text.SimpleDateFormat)
Example 40 with CRLDistPoint
use of com.github.zhenwei.core.asn1.x509.CRLDistPoint in project LinLong-Java by zhenwei1108.
the class RFC3280CertPathUtilities method checkCRLs.
/**
* Checks a certificate if it is revoked.
*
* @param paramsPKIX PKIX parameters.
* @param currentDate The date at which this check is being run.
* @param validityDate The date when the certificate revocation status should be checked.
* @param cert Certificate to check if it is revoked.
* @param sign The issuer certificate of the certificate <code>cert</code>.
* @param workingPublicKey The public key of the issuer certificate <code>sign</code>.
* @param certPathCerts The certificates of the certification path.
* @throws AnnotatedException if the certificate is revoked or the status cannot be checked or
* some error occurs.
*/
protected static void checkCRLs(PKIXCertRevocationCheckerParameters params, PKIXExtendedParameters paramsPKIX, Date currentDate, Date validityDate, X509Certificate cert, X509Certificate sign, PublicKey workingPublicKey, List certPathCerts, JcaJceHelper helper) throws AnnotatedException, RecoverableCertPathValidatorException {
AnnotatedException lastException = null;
CRLDistPoint crldp = null;
try {
crldp = CRLDistPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, RFC3280CertPathUtilities.CRL_DISTRIBUTION_POINTS));
} catch (Exception e) {
throw new AnnotatedException("CRL distribution point extension could not be read.", e);
}
PKIXExtendedParameters.Builder paramsBldr = new PKIXExtendedParameters.Builder(paramsPKIX);
try {
List extras = CertPathValidatorUtilities.getAdditionalStoresFromCRLDistributionPoint(crldp, paramsPKIX.getNamedCRLStoreMap(), validityDate, helper);
for (Iterator it = extras.iterator(); it.hasNext(); ) {
paramsBldr.addCRLStore((PKIXCRLStore) it.next());
}
} catch (AnnotatedException e) {
throw new AnnotatedException("No additional CRL locations could be decoded from CRL distribution point extension.", e);
}
CertStatus certStatus = new CertStatus();
ReasonsMask reasonsMask = new ReasonsMask();
PKIXExtendedParameters finalParams = paramsBldr.build();
boolean validCrlFound = false;
// for each distribution point
if (crldp != null) {
DistributionPoint[] dps = null;
try {
dps = crldp.getDistributionPoints();
} catch (Exception e) {
throw new AnnotatedException("Distribution points could not be read.", e);
}
if (dps != null) {
for (int i = 0; i < dps.length && certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonsMask.isAllReasons(); i++) {
try {
checkCRL(params, dps[i], finalParams, currentDate, validityDate, cert, sign, workingPublicKey, certStatus, reasonsMask, certPathCerts, helper);
validCrlFound = true;
} catch (AnnotatedException e) {
lastException = e;
}
}
}
}
if (certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonsMask.isAllReasons()) {
try {
/*
* assume a DP with both the reasons and the cRLIssuer fields
* omitted and a distribution point name of the certificate
* issuer.
*/
X500Name issuer;
try {
issuer = PrincipalUtils.getIssuerPrincipal(cert);
} catch (RuntimeException e) {
throw new AnnotatedException("Issuer from certificate for CRL could not be reencoded.", e);
}
DistributionPoint dp = new DistributionPoint(new DistributionPointName(0, new GeneralNames(new GeneralName(GeneralName.directoryName, issuer))), null, null);
PKIXExtendedParameters paramsPKIXClone = (PKIXExtendedParameters) paramsPKIX.clone();
checkCRL(params, dp, paramsPKIXClone, currentDate, validityDate, cert, sign, workingPublicKey, certStatus, reasonsMask, certPathCerts, helper);
validCrlFound = true;
} catch (AnnotatedException e) {
lastException = e;
}
}
if (!validCrlFound) {
if (lastException instanceof AnnotatedException) {
throw lastException;
}
throw new AnnotatedException("No valid CRL found.", lastException);
}
if (certStatus.getCertStatus() != CertStatus.UNREVOKED) {
SimpleDateFormat df = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss Z");
df.setTimeZone(TimeZone.getTimeZone("UTC"));
String message = "Certificate revocation after " + df.format(certStatus.getRevocationDate());
message += ", reason: " + crlReasons[certStatus.getCertStatus()];
throw new AnnotatedException(message);
}
if (!reasonsMask.isAllReasons() && certStatus.getCertStatus() == CertStatus.UNREVOKED) {
certStatus.setCertStatus(CertStatus.UNDETERMINED);
}
if (certStatus.getCertStatus() == CertStatus.UNDETERMINED) {
throw new AnnotatedException("Certificate status could not be determined.");
}
}
Also used :
DistributionPointName(com.github.zhenwei.core.asn1.x509.DistributionPointName)
X500Name(com.github.zhenwei.core.asn1.x500.X500Name)
ASN1String(com.github.zhenwei.core.asn1.ASN1String)
CertificateExpiredException(java.security.cert.CertificateExpiredException)
GeneralSecurityException(java.security.GeneralSecurityException)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
ExtCertPathValidatorException(com.github.zhenwei.provider.jce.exception.ExtCertPathValidatorException)
CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException)
CertPathBuilderException(java.security.cert.CertPathBuilderException)
IOException(java.io.IOException)
IssuingDistributionPoint(com.github.zhenwei.core.asn1.x509.IssuingDistributionPoint)
CRLDistPoint(com.github.zhenwei.core.asn1.x509.CRLDistPoint)
DistributionPoint(com.github.zhenwei.core.asn1.x509.DistributionPoint)
PKIXExtendedParameters(com.github.zhenwei.provider.jcajce.PKIXExtendedParameters)
GeneralNames(com.github.zhenwei.core.asn1.x509.GeneralNames)
Iterator(java.util.Iterator)
List(java.util.List)
ArrayList(java.util.ArrayList)
IssuingDistributionPoint(com.github.zhenwei.core.asn1.x509.IssuingDistributionPoint)
DistributionPoint(com.github.zhenwei.core.asn1.x509.DistributionPoint)
GeneralName(com.github.zhenwei.core.asn1.x509.GeneralName)
CRLDistPoint(com.github.zhenwei.core.asn1.x509.CRLDistPoint)
SimpleDateFormat(java.text.SimpleDateFormat)
Aggregations
CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)34
DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)30
GeneralName (org.bouncycastle.asn1.x509.GeneralName)29
IOException (java.io.IOException)24
DistributionPointName (org.bouncycastle.asn1.x509.DistributionPointName)22
ArrayList (java.util.ArrayList)17
GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)15
DERIA5String (org.bouncycastle.asn1.DERIA5String)14
CertPathValidatorException (java.security.cert.CertPathValidatorException)13
CRLDistPoint (com.github.zhenwei.core.asn1.x509.CRLDistPoint)11
GeneralSecurityException (java.security.GeneralSecurityException)11
ASN1Primitive (org.bouncycastle.asn1.ASN1Primitive)11
DistributionPoint (com.github.zhenwei.core.asn1.x509.DistributionPoint)10
GeneralName (com.github.zhenwei.core.asn1.x509.GeneralName)10
CRLException (java.security.cert.CRLException)10
ASN1InputStream (org.bouncycastle.asn1.ASN1InputStream)10
DistributionPointName (com.github.zhenwei.core.asn1.x509.DistributionPointName)9
ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)9
CertStoreException (java.security.cert.CertStoreException)8
HashSet (java.util.HashSet)7
