Search in sources :

Example 1 with CRLNumber

use of com.github.zhenwei.core.asn1.x509.CRLNumber in project poi by apache.

the class PkiTestUtils method generateCrl.

public static X509CRL generateCrl(X509Certificate issuer, PrivateKey issuerPrivateKey) throws CertificateEncodingException, IOException, CRLException, OperatorCreationException {
    X509CertificateHolder holder = new X509CertificateHolder(issuer.getEncoded());
    X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(holder.getIssuer(), new Date());
    crlBuilder.setNextUpdate(new Date(new Date().getTime() + 100000));
    JcaContentSignerBuilder contentBuilder = new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC");
    CRLNumber crlNumber = new CRLNumber(new BigInteger("1234"));
    crlBuilder.addExtension(Extension.cRLNumber, false, crlNumber);
    X509CRLHolder x509Crl = crlBuilder.build(contentBuilder.build(issuerPrivateKey));
    return new JcaX509CRLConverter().setProvider("BC").getCRL(x509Crl);
}
Also used : JcaX509CRLConverter(org.bouncycastle.cert.jcajce.JcaX509CRLConverter) JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder) CRLNumber(org.bouncycastle.asn1.x509.CRLNumber) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) X509CRLHolder(org.bouncycastle.cert.X509CRLHolder) BigInteger(java.math.BigInteger) X509v2CRLBuilder(org.bouncycastle.cert.X509v2CRLBuilder) Date(java.util.Date)

Example 2 with CRLNumber

use of com.github.zhenwei.core.asn1.x509.CRLNumber in project xipki by xipki.

the class X509CaCmpResponderImpl method cmpGeneralMsg.

// method cmpRevokeOrUnrevokeOrRemoveCertificates
private PKIBody cmpGeneralMsg(PKIHeaderBuilder respHeader, CmpControl cmpControl, PKIHeader reqHeader, PKIBody reqBody, CmpRequestorInfo requestor, ASN1OctetString tid, String msgId, AuditEvent event) throws InsuffientPermissionException {
    GenMsgContent genMsgBody = GenMsgContent.getInstance(reqBody.getContent());
    InfoTypeAndValue[] itvs = genMsgBody.toInfoTypeAndValueArray();
    InfoTypeAndValue itv = null;
    if (itvs != null && itvs.length > 0) {
        for (InfoTypeAndValue entry : itvs) {
            String itvType = entry.getInfoType().getId();
            if (KNOWN_GENMSG_IDS.contains(itvType)) {
                itv = entry;
                break;
            }
        }
    }
    if (itv == null) {
        String statusMessage = "PKIBody type " + PKIBody.TYPE_GEN_MSG + " is only supported with the sub-types " + KNOWN_GENMSG_IDS.toString();
        return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badRequest, statusMessage);
    }
    InfoTypeAndValue itvResp = null;
    ASN1ObjectIdentifier infoType = itv.getInfoType();
    int failureInfo;
    try {
        X509Ca ca = getCa();
        if (CMPObjectIdentifiers.it_currentCRL.equals(infoType)) {
            event.addEventType(CaAuditConstants.TYPE_CMP_genm_currentCrl);
            checkPermission(requestor, PermissionConstants.GET_CRL);
            CertificateList crl = ca.getBcCurrentCrl();
            if (itv.getInfoValue() == null) {
                // as defined in RFC 4210
                crl = ca.getBcCurrentCrl();
            } else {
                // xipki extension
                ASN1Integer crlNumber = ASN1Integer.getInstance(itv.getInfoValue());
                crl = ca.getBcCrl(crlNumber.getPositiveValue());
            }
            if (crl == null) {
                String statusMessage = "no CRL is available";
                return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.systemFailure, statusMessage);
            }
            itvResp = new InfoTypeAndValue(infoType, crl);
        } else if (ObjectIdentifiers.id_xipki_cmp_cmpGenmsg.equals(infoType)) {
            ASN1Encodable asn1 = itv.getInfoValue();
            ASN1Integer asn1Code = null;
            ASN1Encodable reqValue = null;
            try {
                ASN1Sequence seq = ASN1Sequence.getInstance(asn1);
                asn1Code = ASN1Integer.getInstance(seq.getObjectAt(0));
                if (seq.size() > 1) {
                    reqValue = seq.getObjectAt(1);
                }
            } catch (IllegalArgumentException ex) {
                String statusMessage = "invalid value of the InfoTypeAndValue for " + ObjectIdentifiers.id_xipki_cmp_cmpGenmsg.getId();
                return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badRequest, statusMessage);
            }
            ASN1Encodable respValue;
            int action = asn1Code.getPositiveValue().intValue();
            switch(action) {
                case XiSecurityConstants.CMP_ACTION_GEN_CRL:
                    event.addEventType(CaAuditConstants.TYPE_CMP_genm_genCrl);
                    checkPermission(requestor, PermissionConstants.GEN_CRL);
                    X509CRL tmpCrl = ca.generateCrlOnDemand(msgId);
                    if (tmpCrl == null) {
                        String statusMessage = "CRL generation is not activated";
                        return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.systemFailure, statusMessage);
                    } else {
                        respValue = CertificateList.getInstance(tmpCrl.getEncoded());
                    }
                    break;
                case XiSecurityConstants.CMP_ACTION_GET_CRL_WITH_SN:
                    event.addEventType(CaAuditConstants.TYPE_CMP_genm_crlForNumber);
                    checkPermission(requestor, PermissionConstants.GET_CRL);
                    ASN1Integer crlNumber = ASN1Integer.getInstance(reqValue);
                    respValue = ca.getBcCrl(crlNumber.getPositiveValue());
                    if (respValue == null) {
                        String statusMessage = "no CRL is available";
                        return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.systemFailure, statusMessage);
                    }
                    break;
                case XiSecurityConstants.CMP_ACTION_GET_CAINFO:
                    event.addEventType(CaAuditConstants.TYPE_CMP_genm_cainfo);
                    Set<Integer> acceptVersions = new HashSet<>();
                    if (reqValue != null) {
                        ASN1Sequence seq = DERSequence.getInstance(reqValue);
                        int size = seq.size();
                        for (int i = 0; i < size; i++) {
                            ASN1Integer ai = ASN1Integer.getInstance(seq.getObjectAt(i));
                            acceptVersions.add(ai.getPositiveValue().intValue());
                        }
                    }
                    if (CollectionUtil.isEmpty(acceptVersions)) {
                        acceptVersions.add(1);
                    }
                    String systemInfo = getSystemInfo(requestor, acceptVersions);
                    respValue = new DERUTF8String(systemInfo);
                    break;
                default:
                    String statusMessage = "unsupported XiPKI action code '" + action + "'";
                    return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badRequest, statusMessage);
            }
            // end switch (action)
            ASN1EncodableVector vec = new ASN1EncodableVector();
            vec.add(asn1Code);
            if (respValue != null) {
                vec.add(respValue);
            }
            itvResp = new InfoTypeAndValue(infoType, new DERSequence(vec));
        } else if (ObjectIdentifiers.id_xipki_cmp_cacerts.equals(infoType)) {
            event.addEventType(CaAuditConstants.TYPE_CMP_genm_cacerts);
            CMPCertificate caCert = ca.getCaInfo().getCertInCmpFormat();
            itvResp = new InfoTypeAndValue(infoType, new DERSequence(caCert));
        }
        GenRepContent genRepContent = new GenRepContent(itvResp);
        return new PKIBody(PKIBody.TYPE_GEN_REP, genRepContent);
    } catch (OperationException ex) {
        failureInfo = getPKiFailureInfo(ex);
        ErrorCode code = ex.getErrorCode();
        String errorMessage;
        switch(code) {
            case DATABASE_FAILURE:
            case SYSTEM_FAILURE:
                errorMessage = code.name();
                break;
            default:
                errorMessage = code.name() + ": " + ex.getErrorMessage();
                break;
        }
        return buildErrorMsgPkiBody(PKIStatus.rejection, failureInfo, errorMessage);
    } catch (CRLException ex) {
        String statusMessage = "CRLException: " + ex.getMessage();
        return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.systemFailure, statusMessage);
    }
}
Also used : DERUTF8String(org.bouncycastle.asn1.DERUTF8String) PKIBody(org.bouncycastle.asn1.cmp.PKIBody) X509CRL(java.security.cert.X509CRL) Set(java.util.Set) HashSet(java.util.HashSet) GenMsgContent(org.bouncycastle.asn1.cmp.GenMsgContent) GenRepContent(org.bouncycastle.asn1.cmp.GenRepContent) X509Ca(org.xipki.ca.server.impl.X509Ca) CertificateList(org.bouncycastle.asn1.x509.CertificateList) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) ASN1Integer(org.bouncycastle.asn1.ASN1Integer) CMPCertificate(org.bouncycastle.asn1.cmp.CMPCertificate) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) DERSequence(org.bouncycastle.asn1.DERSequence) InfoTypeAndValue(org.bouncycastle.asn1.cmp.InfoTypeAndValue) ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) ErrorCode(org.xipki.ca.api.OperationException.ErrorCode) CRLException(java.security.cert.CRLException) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) OperationException(org.xipki.ca.api.OperationException)

Example 3 with CRLNumber

use of com.github.zhenwei.core.asn1.x509.CRLNumber in project xipki by xipki.

the class X509Ca method getBcCrl.

public CertificateList getBcCrl(BigInteger crlNumber) throws OperationException {
    LOG.info("     START getCrl: ca={}, crlNumber={}", caIdent, crlNumber);
    boolean successful = false;
    try {
        byte[] encodedCrl = certstore.getEncodedCrl(caIdent, crlNumber);
        if (encodedCrl == null) {
            return null;
        }
        try {
            CertificateList crl = CertificateList.getInstance(encodedCrl);
            successful = true;
            if (LOG.isInfoEnabled()) {
                LOG.info("SUCCESSFUL getCrl: ca={}, thisUpdate={}", caIdent, crl.getThisUpdate().getTime());
            }
            return crl;
        } catch (RuntimeException ex) {
            throw new OperationException(ErrorCode.SYSTEM_FAILURE, ex);
        }
    } finally {
        if (!successful) {
            LOG.info("    FAILED getCrl: ca={}", caIdent);
        }
    }
}
Also used : CertificateList(org.bouncycastle.asn1.x509.CertificateList) OperationException(org.xipki.ca.api.OperationException)

Example 4 with CRLNumber

use of com.github.zhenwei.core.asn1.x509.CRLNumber in project candlepin by candlepin.

the class X509CRLEntryStreamTest method testIterateOverEmptyCrl.

@Test
public void testIterateOverEmptyCrl() throws Exception {
    X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuer, new Date());
    AuthorityKeyIdentifier identifier = new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(keyPair.getPublic());
    crlBuilder.addExtension(Extension.authorityKeyIdentifier, false, identifier);
    crlBuilder.addExtension(Extension.cRLNumber, false, new CRLNumber(new BigInteger("127")));
    X509CRLHolder holder = crlBuilder.build(signer);
    File noUpdateTimeCrl = new File(folder.getRoot(), "test.crl");
    FileUtils.writeByteArrayToFile(noUpdateTimeCrl, holder.getEncoded());
    X509CRLEntryStream stream = new X509CRLEntryStream(noUpdateTimeCrl);
    try {
        Set<BigInteger> streamedSerials = new HashSet<>();
        while (stream.hasNext()) {
            streamedSerials.add(getSerial(stream.next()));
        }
        assertEquals(0, streamedSerials.size());
    } finally {
        stream.close();
    }
}
Also used : JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils) CRLNumber(org.bouncycastle.asn1.x509.CRLNumber) X509CRLHolder(org.bouncycastle.cert.X509CRLHolder) BigInteger(java.math.BigInteger) X509v2CRLBuilder(org.bouncycastle.cert.X509v2CRLBuilder) AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier) File(java.io.File) Date(java.util.Date) HashSet(java.util.HashSet) Test(org.junit.Test)

Example 5 with CRLNumber

use of com.github.zhenwei.core.asn1.x509.CRLNumber in project candlepin by candlepin.

the class BouncyCastlePKIUtility method createX509CRL.

@Override
public X509CRL createX509CRL(List<X509CRLEntryWrapper> entries, BigInteger crlNumber) {
    try {
        X509Certificate caCert = reader.getCACert();
        X509v2CRLBuilder generator = new X509v2CRLBuilder(X500Name.getInstance(caCert.getIssuerX500Principal().getEncoded()), new Date());
        generator.setNextUpdate(Util.addDaysToDt(config.getInt(ConfigProperties.CRL_NEXT_UPDATE_DELTA)));
        // add all the CRL entries.
        for (X509CRLEntryWrapper entry : entries) {
            generator.addCRLEntry(entry.getSerialNumber(), entry.getRevocationDate(), CRLReason.privilegeWithdrawn);
        }
        log.info("Completed adding CRL numbers to the certificate.");
        JcaX509ExtensionUtils extentionUtil = new JcaX509ExtensionUtils();
        AuthorityKeyIdentifier aki = extentionUtil.createAuthorityKeyIdentifier(caCert);
        generator.addExtension(Extension.authorityKeyIdentifier, false, aki.getEncoded());
        generator.addExtension(Extension.cRLNumber, false, new CRLNumber(crlNumber));
        JcaContentSignerBuilder builder = new JcaContentSignerBuilder(SIGNATURE_ALGO).setProvider(BC_PROVIDER);
        ContentSigner signer;
        try {
            signer = builder.build(reader.getCaKey());
        } catch (OperatorCreationException e) {
            throw new IOException(e);
        }
        return new JcaX509CRLConverter().getCRL(generator.build(signer));
    } catch (Exception e) {
        throw new RuntimeException(e);
    }
}
Also used : JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils) X509CRLEntryWrapper(org.candlepin.pki.X509CRLEntryWrapper) CRLNumber(org.bouncycastle.asn1.x509.CRLNumber) JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder) ContentSigner(org.bouncycastle.operator.ContentSigner) AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) Date(java.util.Date) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException) GeneralSecurityException(java.security.GeneralSecurityException) IOException(java.io.IOException) JcaX509CRLConverter(org.bouncycastle.cert.jcajce.JcaX509CRLConverter) X509v2CRLBuilder(org.bouncycastle.cert.X509v2CRLBuilder) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)

Aggregations

CRLNumber (org.bouncycastle.asn1.x509.CRLNumber)18 BigInteger (java.math.BigInteger)15 X509v2CRLBuilder (org.bouncycastle.cert.X509v2CRLBuilder)13 Date (java.util.Date)12 X509CRLHolder (org.bouncycastle.cert.X509CRLHolder)12 CRLException (java.security.cert.CRLException)11 JcaX509ExtensionUtils (org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)11 HashSet (java.util.HashSet)10 IOException (java.io.IOException)8 X509CRL (java.security.cert.X509CRL)8 JcaX509CRLConverter (org.bouncycastle.cert.jcajce.JcaX509CRLConverter)8 X500Name (org.bouncycastle.asn1.x500.X500Name)7 AuthorityKeyIdentifier (org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)7 Enumeration (java.util.Enumeration)6 Set (java.util.Set)6 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)6 File (java.io.File)5 InvalidKeyException (java.security.InvalidKeyException)5 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)5 NoSuchProviderException (java.security.NoSuchProviderException)5