Example 11 with CRLNumber
use of com.github.zhenwei.core.asn1.x509.CRLNumber in project xipki by xipki.
the class RestResponder method service.
public RestResponse service(String path, AuditEvent event, byte[] request, HttpRequestMetadataRetriever httpRetriever) {
event.setApplicationName(APPNAME);
event.setName(NAME_perf);
event.addEventData(NAME_req_type, RequestType.REST.name());
String msgId = RandomUtil.nextHexLong();
event.addEventData(NAME_mid, msgId);
AuditLevel auditLevel = AuditLevel.INFO;
AuditStatus auditStatus = AuditStatus.SUCCESSFUL;
String auditMessage = null;
try {
if (responderManager == null) {
String message = "responderManager in servlet not configured";
LOG.error(message);
throw new HttpRespAuditException(INTERNAL_SERVER_ERROR, message, ERROR, FAILED);
}
String caName = null;
String command = null;
X509Ca ca = null;
if (path.length() > 1) {
// the first char is always '/'
String coreUri = path;
int sepIndex = coreUri.indexOf('/', 1);
if (sepIndex == -1 || sepIndex == coreUri.length() - 1) {
String message = "invalid path " + path;
LOG.error(message);
throw new HttpRespAuditException(NOT_FOUND, message, ERROR, FAILED);
}
// skip also the first char ('/')
String caAlias = coreUri.substring(1, sepIndex).toLowerCase();
command = coreUri.substring(sepIndex + 1).toLowerCase();
caName = responderManager.getCaNameForAlias(caAlias);
if (caName == null) {
caName = caAlias;
}
CmpResponder caResponder = responderManager.getX509CaResponder(caName);
if (caResponder != null) {
ca = caResponder.getCa();
}
}
if (StringUtil.isBlank(command)) {
String message = "command is not specified";
LOG.warn(message);
throw new HttpRespAuditException(NOT_FOUND, message, INFO, FAILED);
}
if (ca == null || !ca.getCaInfo().supportsRest() || ca.getCaInfo().getStatus() != CaStatus.ACTIVE) {
String message;
if (ca == null) {
message = "unknown CA '" + caName + "'";
} else if (!ca.getCaInfo().supportsRest()) {
message = "REST is not supported by the CA '" + caName + "'";
} else {
message = "CA '" + caName + "' is out of service";
}
LOG.warn(message);
throw new HttpRespAuditException(NOT_FOUND, message, INFO, FAILED);
}
event.addEventData(NAME_ca, ca.getCaIdent().getName());
event.addEventType(command);
RequestorInfo requestor;
// Retrieve the user:password
String hdrValue = httpRetriever.getHeader("Authorization");
if (hdrValue != null && hdrValue.startsWith("Basic ")) {
String user = null;
byte[] password = null;
if (hdrValue.length() > 6) {
String b64 = hdrValue.substring(6);
byte[] userPwd = Base64.decodeFast(b64);
int idx = -1;
for (int i = 0; i < userPwd.length; i++) {
if (userPwd[i] == ':') {
idx = i;
break;
}
}
if (idx != -1 && idx < userPwd.length - 1) {
user = StringUtil.toUtf8String(Arrays.copyOfRange(userPwd, 0, idx));
password = Arrays.copyOfRange(userPwd, idx + 1, userPwd.length);
}
}
if (user == null) {
throw new HttpRespAuditException(UNAUTHORIZED, "invalid Authorization information", INFO, FAILED);
}
NameId userIdent = ca.authenticateUser(user, password);
if (userIdent == null) {
throw new HttpRespAuditException(UNAUTHORIZED, "could not authenticate user", INFO, FAILED);
}
requestor = ca.getByUserRequestor(userIdent);
} else {
X509Cert clientCert = httpRetriever.getTlsClientCert();
if (clientCert == null) {
throw new HttpRespAuditException(UNAUTHORIZED, "no client certificate", INFO, FAILED);
}
requestor = ca.getRequestor(clientCert);
}
if (requestor == null) {
throw new OperationException(NOT_PERMITTED, "no requestor specified");
}
event.addEventData(NAME_requestor, requestor.getIdent().getName());
String respCt = null;
byte[] respBytes = null;
switch(command) {
case CMD_cacert:
{
respCt = CT_pkix_cert;
respBytes = ca.getCaInfo().getCert().getEncoded();
break;
}
case CMD_pop_dh_certs:
{
PopControl control = responderManager.getX509Ca(caName).getCaInfo().getPopControl();
respBytes = new byte[0];
if (control != null) {
X509Cert[] dhCerts = control.getDhCertificates();
if (dhCerts != null) {
respCt = CT_pem_file;
respBytes = StringUtil.toUtf8Bytes(X509Util.encodeCertificates(dhCerts));
}
}
break;
}
case CMD_cacertchain:
{
respCt = CT_pem_file;
List<X509Cert> certchain = ca.getCaInfo().getCertchain();
int size = 1 + (certchain == null ? 0 : certchain.size());
X509Cert[] certchainWithCaCert = new X509Cert[size];
certchainWithCaCert[0] = ca.getCaInfo().getCert();
if (size > 1) {
for (int i = 1; i < size; i++) {
certchainWithCaCert[i] = certchain.get(i - 1);
}
}
respBytes = StringUtil.toUtf8Bytes(X509Util.encodeCertificates(certchainWithCaCert));
break;
}
case CMD_enroll_cert:
case CMD_enroll_cert_cagenkeypair:
{
String profile = httpRetriever.getParameter(PARAM_profile);
if (StringUtil.isBlank(profile)) {
throw new HttpRespAuditException(BAD_REQUEST, "required parameter " + PARAM_profile + " not specified", INFO, FAILED);
}
profile = profile.toLowerCase();
try {
requestor.assertPermitted(PermissionConstants.ENROLL_CERT);
} catch (InsufficientPermissionException ex) {
throw new OperationException(NOT_PERMITTED, ex.getMessage());
}
if (!requestor.isCertprofilePermitted(profile)) {
throw new OperationException(NOT_PERMITTED, "certprofile " + profile + " is not allowed");
}
String strNotBefore = httpRetriever.getParameter(PARAM_not_before);
Date notBefore = (strNotBefore == null) ? null : DateUtil.parseUtcTimeyyyyMMddhhmmss(strNotBefore);
String strNotAfter = httpRetriever.getParameter(PARAM_not_after);
Date notAfter = (strNotAfter == null) ? null : DateUtil.parseUtcTimeyyyyMMddhhmmss(strNotAfter);
if (CMD_enroll_cert_cagenkeypair.equals(command)) {
String ct = httpRetriever.getHeader("Content-Type");
X500Name subject;
Extensions extensions;
if (ct.startsWith("text/plain")) {
Properties props = new Properties();
props.load(new ByteArrayInputStream(request));
String strSubject = props.getProperty("subject");
if (strSubject == null) {
throw new OperationException(BAD_CERT_TEMPLATE, "subject is not specified");
}
try {
subject = new X500Name(strSubject);
} catch (Exception ex) {
throw new OperationException(BAD_CERT_TEMPLATE, "invalid subject");
}
extensions = null;
} else if (CT_pkcs10.equalsIgnoreCase(ct)) {
// some clients may send the PEM encoded CSR.
request = X509Util.toDerEncoded(request);
// The PKCS#10 will only be used for transport of subject and extensions.
// The associated key will not be used, so the verification of POP is skipped.
CertificationRequestInfo certTemp = CertificationRequest.getInstance(request).getCertificationRequestInfo();
subject = certTemp.getSubject();
extensions = CaUtil.getExtensions(certTemp);
} else {
String message = "unsupported media type " + ct;
throw new HttpRespAuditException(UNSUPPORTED_MEDIA_TYPE, message, INFO, FAILED);
}
CertTemplateData certTemplate = new CertTemplateData(subject, null, notBefore, notAfter, extensions, profile, null, true);
CertificateInfo certInfo = ca.generateCert(certTemplate, requestor, RequestType.REST, null, msgId);
if (ca.getCaInfo().isSaveRequest()) {
long dbId = ca.addRequest(request);
ca.addRequestCert(dbId, certInfo.getCert().getCertId());
}
respCt = CT_pem_file;
byte[] keyBytes = PemEncoder.encode(certInfo.getPrivateKey().getEncoded(), PemLabel.PRIVATE_KEY);
byte[] certBytes = PemEncoder.encode(certInfo.getCert().getCert().getEncoded(), PemLabel.CERTIFICATE);
respBytes = new byte[keyBytes.length + 2 + certBytes.length];
System.arraycopy(keyBytes, 0, respBytes, 0, keyBytes.length);
respBytes[keyBytes.length] = '\r';
respBytes[keyBytes.length + 1] = '\n';
System.arraycopy(certBytes, 0, respBytes, keyBytes.length + 2, certBytes.length);
} else {
String ct = httpRetriever.getHeader("Content-Type");
if (!CT_pkcs10.equalsIgnoreCase(ct)) {
String message = "unsupported media type " + ct;
throw new HttpRespAuditException(UNSUPPORTED_MEDIA_TYPE, message, INFO, FAILED);
}
CertificationRequest csr = CertificationRequest.getInstance(request);
if (!ca.verifyCsr(csr)) {
throw new OperationException(BAD_POP);
}
CertificationRequestInfo certTemp = csr.getCertificationRequestInfo();
X500Name subject = certTemp.getSubject();
SubjectPublicKeyInfo publicKeyInfo = certTemp.getSubjectPublicKeyInfo();
Extensions extensions = CaUtil.getExtensions(certTemp);
CertTemplateData certTemplate = new CertTemplateData(subject, publicKeyInfo, notBefore, notAfter, extensions, profile);
CertificateInfo certInfo = ca.generateCert(certTemplate, requestor, RequestType.REST, null, msgId);
if (ca.getCaInfo().isSaveRequest()) {
long dbId = ca.addRequest(request);
ca.addRequestCert(dbId, certInfo.getCert().getCertId());
}
CertWithDbId cert = certInfo.getCert();
if (cert == null) {
String message = "could not generate certificate";
LOG.warn(message);
throw new HttpRespAuditException(INTERNAL_SERVER_ERROR, message, INFO, FAILED);
}
respCt = CT_pkix_cert;
respBytes = cert.getCert().getEncoded();
}
break;
}
case CMD_revoke_cert:
case CMD_delete_cert:
{
int permission;
if (CMD_revoke_cert.equals(command)) {
permission = PermissionConstants.REVOKE_CERT;
} else {
permission = PermissionConstants.REMOVE_CERT;
}
try {
requestor.assertPermitted(permission);
} catch (InsufficientPermissionException ex) {
throw new OperationException(NOT_PERMITTED, ex.getMessage());
}
String strCaSha1 = httpRetriever.getParameter(PARAM_ca_sha1);
if (StringUtil.isBlank(strCaSha1)) {
throw new HttpRespAuditException(BAD_REQUEST, "required parameter " + PARAM_ca_sha1 + " not specified", INFO, FAILED);
}
String strSerialNumber = httpRetriever.getParameter(PARAM_serial_number);
if (StringUtil.isBlank(strSerialNumber)) {
throw new HttpRespAuditException(BAD_REQUEST, "required parameter " + PARAM_serial_number + " not specified", INFO, FAILED);
}
if (!strCaSha1.equalsIgnoreCase(ca.getHexSha1OfCert())) {
throw new HttpRespAuditException(BAD_REQUEST, "unknown " + PARAM_ca_sha1, INFO, FAILED);
}
BigInteger serialNumber;
try {
serialNumber = toBigInt(strSerialNumber);
} catch (NumberFormatException ex) {
throw new OperationException(ErrorCode.BAD_REQUEST, ex.getMessage());
}
if (CMD_revoke_cert.equals(command)) {
String strReason = httpRetriever.getParameter(PARAM_reason);
CrlReason reason = (strReason == null) ? CrlReason.UNSPECIFIED : CrlReason.forNameOrText(strReason);
if (reason == CrlReason.REMOVE_FROM_CRL) {
ca.unrevokeCert(serialNumber, msgId);
} else {
Date invalidityTime = null;
String strInvalidityTime = httpRetriever.getParameter(PARAM_invalidity_time);
if (StringUtil.isNotBlank(strInvalidityTime)) {
invalidityTime = DateUtil.parseUtcTimeyyyyMMddhhmmss(strInvalidityTime);
}
ca.revokeCert(serialNumber, reason, invalidityTime, msgId);
}
} else {
// if (CMD_delete_cert.equals(command)) {
ca.removeCert(serialNumber, msgId);
}
break;
}
case CMD_crl:
{
try {
requestor.assertPermitted(PermissionConstants.GET_CRL);
} catch (InsufficientPermissionException ex) {
throw new OperationException(NOT_PERMITTED, ex.getMessage());
}
String strCrlNumber = httpRetriever.getParameter(PARAM_crl_number);
BigInteger crlNumber = null;
if (StringUtil.isNotBlank(strCrlNumber)) {
try {
crlNumber = toBigInt(strCrlNumber);
} catch (NumberFormatException ex) {
String message = "invalid crlNumber '" + strCrlNumber + "'";
LOG.warn(message);
throw new HttpRespAuditException(BAD_REQUEST, message, INFO, FAILED);
}
}
X509CRLHolder crl = ca.getCrl(crlNumber, msgId);
if (crl == null) {
String message = "could not get CRL";
LOG.warn(message);
throw new HttpRespAuditException(INTERNAL_SERVER_ERROR, message, INFO, FAILED);
}
respCt = CT_pkix_crl;
respBytes = crl.getEncoded();
break;
}
case CMD_new_crl:
{
try {
requestor.assertPermitted(PermissionConstants.GEN_CRL);
} catch (InsufficientPermissionException ex) {
throw new OperationException(NOT_PERMITTED, ex.getMessage());
}
X509CRLHolder crl = ca.generateCrlOnDemand(msgId);
respCt = CT_pkix_crl;
respBytes = crl.getEncoded();
break;
}
default:
{
String message = "invalid command '" + command + "'";
LOG.error(message);
throw new HttpRespAuditException(NOT_FOUND, message, INFO, FAILED);
}
}
Map<String, String> headers = new HashMap<>();
headers.put(HEADER_PKISTATUS, PKISTATUS_accepted);
return new RestResponse(OK, respCt, headers, respBytes);
} catch (OperationException ex) {
ErrorCode code = ex.getErrorCode();
if (LOG.isWarnEnabled()) {
String msg = StringUtil.concat("generate certificate, OperationException: code=", code.name(), ", message=", ex.getErrorMessage());
LogUtil.warn(LOG, ex, msg);
}
int sc;
String failureInfo;
switch(code) {
case ALREADY_ISSUED:
sc = BAD_REQUEST;
failureInfo = FAILINFO_badRequest;
break;
case BAD_CERT_TEMPLATE:
sc = BAD_REQUEST;
failureInfo = FAILINFO_badCertTemplate;
break;
case BAD_REQUEST:
sc = BAD_REQUEST;
failureInfo = FAILINFO_badRequest;
break;
case CERT_REVOKED:
sc = CONFLICT;
failureInfo = FAILINFO_certRevoked;
break;
case CRL_FAILURE:
sc = INTERNAL_SERVER_ERROR;
failureInfo = FAILINFO_systemFailure;
break;
case DATABASE_FAILURE:
sc = INTERNAL_SERVER_ERROR;
failureInfo = FAILINFO_systemFailure;
break;
case NOT_PERMITTED:
sc = UNAUTHORIZED;
failureInfo = FAILINFO_notAuthorized;
break;
case INVALID_EXTENSION:
sc = BAD_REQUEST;
failureInfo = FAILINFO_badRequest;
break;
case SYSTEM_FAILURE:
sc = INTERNAL_SERVER_ERROR;
failureInfo = FAILINFO_systemFailure;
break;
case SYSTEM_UNAVAILABLE:
sc = SERVICE_UNAVAILABLE;
failureInfo = FAILINFO_systemUnavail;
break;
case UNKNOWN_CERT:
sc = BAD_REQUEST;
failureInfo = FAILINFO_badCertId;
break;
case UNKNOWN_CERT_PROFILE:
sc = BAD_REQUEST;
failureInfo = FAILINFO_badCertTemplate;
break;
default:
sc = INTERNAL_SERVER_ERROR;
failureInfo = FAILINFO_systemFailure;
break;
}
// end switch (code)
event.setStatus(AuditStatus.FAILED);
event.addEventData(NAME_message, code.name());
switch(code) {
case DATABASE_FAILURE:
case SYSTEM_FAILURE:
auditMessage = code.name();
break;
default:
auditMessage = code.name() + ": " + ex.getErrorMessage();
break;
}
// end switch code
Map<String, String> headers = new HashMap<>();
headers.put(HEADER_PKISTATUS, PKISTATUS_rejection);
if (StringUtil.isNotBlank(failureInfo)) {
headers.put(HEADER_failInfo, failureInfo);
}
return new RestResponse(sc, null, headers, null);
} catch (HttpRespAuditException ex) {
auditStatus = ex.getAuditStatus();
auditLevel = ex.getAuditLevel();
auditMessage = ex.getAuditMessage();
return new RestResponse(ex.getHttpStatus(), null, null, null);
} catch (Throwable th) {
if (th instanceof EOFException) {
LogUtil.warn(LOG, th, "connection reset by peer");
} else {
LOG.error("Throwable thrown, this should not happen!", th);
}
auditLevel = AuditLevel.ERROR;
auditStatus = AuditStatus.FAILED;
auditMessage = "internal error";
return new RestResponse(INTERNAL_SERVER_ERROR, null, null, null);
} finally {
event.setStatus(auditStatus);
event.setLevel(auditLevel);
if (auditMessage != null) {
event.addEventData(NAME_message, auditMessage);
}
}
}
Also used :
CertificationRequestInfo(org.bouncycastle.asn1.pkcs.CertificationRequestInfo)
X500Name(org.bouncycastle.asn1.x500.X500Name)
Extensions(org.bouncycastle.asn1.x509.Extensions)
SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
X509Cert(org.xipki.security.X509Cert)
EOFException(java.io.EOFException)
CrlReason(org.xipki.security.CrlReason)
CmpResponder(org.xipki.ca.server.cmp.CmpResponder)
AuditLevel(org.xipki.audit.AuditLevel)
EOFException(java.io.EOFException)
AuditStatus(org.xipki.audit.AuditStatus)
ByteArrayInputStream(java.io.ByteArrayInputStream)
X509CRLHolder(org.bouncycastle.cert.X509CRLHolder)
BigInteger(java.math.BigInteger)
ErrorCode(org.xipki.ca.api.OperationException.ErrorCode)
RequestorInfo(org.xipki.ca.api.mgmt.RequestorInfo)
CertificationRequest(org.bouncycastle.asn1.pkcs.CertificationRequest)
PopControl(org.xipki.ca.api.mgmt.PopControl)
Example 12 with CRLNumber
use of com.github.zhenwei.core.asn1.x509.CRLNumber in project LinLong-Java by zhenwei1108.
the class X509CRLObject method toString.
/**
* Returns a string representation of this CRL.
*
* @return a string representation of this CRL.
*/
public String toString() {
StringBuffer buf = new StringBuffer();
String nl = Strings.lineSeparator();
buf.append(" Version: ").append(this.getVersion()).append(nl);
buf.append(" IssuerDN: ").append(this.getIssuerDN()).append(nl);
buf.append(" This update: ").append(this.getThisUpdate()).append(nl);
buf.append(" Next update: ").append(this.getNextUpdate()).append(nl);
buf.append(" Signature Algorithm: ").append(this.getSigAlgName()).append(nl);
byte[] sig = this.getSignature();
buf.append(" Signature: ").append(new String(Hex.encode(sig, 0, 20))).append(nl);
for (int i = 20; i < sig.length; i += 20) {
if (i < sig.length - 20) {
buf.append(" ").append(new String(Hex.encode(sig, i, 20))).append(nl);
} else {
buf.append(" ").append(new String(Hex.encode(sig, i, sig.length - i))).append(nl);
}
}
Extensions extensions = c.getTBSCertList().getExtensions();
if (extensions != null) {
Enumeration e = extensions.oids();
if (e.hasMoreElements()) {
buf.append(" Extensions: ").append(nl);
}
while (e.hasMoreElements()) {
ASN1ObjectIdentifier oid = (ASN1ObjectIdentifier) e.nextElement();
Extension ext = extensions.getExtension(oid);
if (ext.getExtnValue() != null) {
byte[] octs = ext.getExtnValue().getOctets();
ASN1InputStream dIn = new ASN1InputStream(octs);
buf.append(" critical(").append(ext.isCritical()).append(") ");
try {
if (oid.equals(Extension.cRLNumber)) {
buf.append(new CRLNumber(ASN1Integer.getInstance(dIn.readObject()).getPositiveValue())).append(nl);
} else if (oid.equals(Extension.deltaCRLIndicator)) {
buf.append("Base CRL: " + new CRLNumber(ASN1Integer.getInstance(dIn.readObject()).getPositiveValue())).append(nl);
} else if (oid.equals(Extension.issuingDistributionPoint)) {
buf.append(IssuingDistributionPoint.getInstance(dIn.readObject())).append(nl);
} else if (oid.equals(Extension.cRLDistributionPoints)) {
buf.append(CRLDistPoint.getInstance(dIn.readObject())).append(nl);
} else if (oid.equals(Extension.freshestCRL)) {
buf.append(CRLDistPoint.getInstance(dIn.readObject())).append(nl);
} else {
buf.append(oid.getId());
buf.append(" value = ").append(ASN1Dump.dumpAsString(dIn.readObject())).append(nl);
}
} catch (Exception ex) {
buf.append(oid.getId());
buf.append(" value = ").append("*****").append(nl);
}
} else {
buf.append(nl);
}
}
}
Set set = getRevokedCertificates();
if (set != null) {
Iterator it = set.iterator();
while (it.hasNext()) {
buf.append(it.next());
buf.append(nl);
}
}
return buf.toString();
}
Also used :
ASN1InputStream(com.github.zhenwei.core.asn1.ASN1InputStream)
Enumeration(java.util.Enumeration)
HashSet(java.util.HashSet)
Set(java.util.Set)
CRLNumber(com.github.zhenwei.core.asn1.x509.CRLNumber)
ASN1OctetString(com.github.zhenwei.core.asn1.ASN1OctetString)
Extensions(com.github.zhenwei.core.asn1.x509.Extensions)
IssuingDistributionPoint(com.github.zhenwei.core.asn1.x509.IssuingDistributionPoint)
CRLDistPoint(com.github.zhenwei.core.asn1.x509.CRLDistPoint)
SignatureException(java.security.SignatureException)
IOException(java.io.IOException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
InvalidKeyException(java.security.InvalidKeyException)
CRLException(java.security.cert.CRLException)
NoSuchProviderException(java.security.NoSuchProviderException)
CertificateEncodingException(java.security.cert.CertificateEncodingException)
Extension(com.github.zhenwei.core.asn1.x509.Extension)
Iterator(java.util.Iterator)
ASN1ObjectIdentifier(com.github.zhenwei.core.asn1.ASN1ObjectIdentifier)
Example 13 with CRLNumber
use of com.github.zhenwei.core.asn1.x509.CRLNumber in project LinLong-Java by zhenwei1108.
the class X509CRLImpl method toString.
/**
* Returns a string representation of this CRL.
*
* @return a string representation of this CRL.
*/
public String toString() {
StringBuffer buf = new StringBuffer();
String nl = Strings.lineSeparator();
buf.append(" Version: ").append(this.getVersion()).append(nl);
buf.append(" IssuerDN: ").append(this.getIssuerDN()).append(nl);
buf.append(" This update: ").append(this.getThisUpdate()).append(nl);
buf.append(" Next update: ").append(this.getNextUpdate()).append(nl);
buf.append(" Signature Algorithm: ").append(this.getSigAlgName()).append(nl);
X509SignatureUtil.prettyPrintSignature(this.getSignature(), buf, nl);
Extensions extensions = c.getTBSCertList().getExtensions();
if (extensions != null) {
Enumeration e = extensions.oids();
if (e.hasMoreElements()) {
buf.append(" Extensions: ").append(nl);
}
while (e.hasMoreElements()) {
ASN1ObjectIdentifier oid = (ASN1ObjectIdentifier) e.nextElement();
Extension ext = extensions.getExtension(oid);
if (ext.getExtnValue() != null) {
byte[] octs = ext.getExtnValue().getOctets();
ASN1InputStream dIn = new ASN1InputStream(octs);
buf.append(" critical(").append(ext.isCritical()).append(") ");
try {
if (oid.equals(Extension.cRLNumber)) {
buf.append(new CRLNumber(ASN1Integer.getInstance(dIn.readObject()).getPositiveValue())).append(nl);
} else if (oid.equals(Extension.deltaCRLIndicator)) {
buf.append("Base CRL: " + new CRLNumber(ASN1Integer.getInstance(dIn.readObject()).getPositiveValue())).append(nl);
} else if (oid.equals(Extension.issuingDistributionPoint)) {
buf.append(IssuingDistributionPoint.getInstance(dIn.readObject())).append(nl);
} else if (oid.equals(Extension.cRLDistributionPoints)) {
buf.append(CRLDistPoint.getInstance(dIn.readObject())).append(nl);
} else if (oid.equals(Extension.freshestCRL)) {
buf.append(CRLDistPoint.getInstance(dIn.readObject())).append(nl);
} else {
buf.append(oid.getId());
buf.append(" value = ").append(ASN1Dump.dumpAsString(dIn.readObject())).append(nl);
}
} catch (Exception ex) {
buf.append(oid.getId());
buf.append(" value = ").append("*****").append(nl);
}
} else {
buf.append(nl);
}
}
}
Set set = getRevokedCertificates();
if (set != null) {
Iterator it = set.iterator();
while (it.hasNext()) {
buf.append(it.next());
buf.append(nl);
}
}
return buf.toString();
}
Also used :
Extension(com.github.zhenwei.core.asn1.x509.Extension)
ASN1InputStream(com.github.zhenwei.core.asn1.ASN1InputStream)
Enumeration(java.util.Enumeration)
Set(java.util.Set)
HashSet(java.util.HashSet)
CRLNumber(com.github.zhenwei.core.asn1.x509.CRLNumber)
Iterator(java.util.Iterator)
ASN1OctetString(com.github.zhenwei.core.asn1.ASN1OctetString)
DERBitString(com.github.zhenwei.core.asn1.DERBitString)
Extensions(com.github.zhenwei.core.asn1.x509.Extensions)
ASN1ObjectIdentifier(com.github.zhenwei.core.asn1.ASN1ObjectIdentifier)
SignatureException(java.security.SignatureException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
InvalidKeyException(java.security.InvalidKeyException)
CRLException(java.security.cert.CRLException)
CertificateEncodingException(java.security.cert.CertificateEncodingException)
IOException(java.io.IOException)
NoSuchProviderException(java.security.NoSuchProviderException)
Example 14 with CRLNumber
use of com.github.zhenwei.core.asn1.x509.CRLNumber in project module-ballerina-http by ballerina-platform.
the class CRLVerifierTest method createCRL.
/**
* Creates a fake CRL for the fake CA. The fake certificate with the given revokedSerialNumber will be marked
* as Revoked in the returned CRL.
*
* @param caCert Fake CA certificate.
* @param caPrivateKey Private key of the fake CA.
* @param revokedSerialNumber Serial number of the fake peer certificate made to be marked as revoked.
* @return Created fake CRL
* @throws Exception
*/
private static X509CRL createCRL(X509Certificate caCert, PrivateKey caPrivateKey, BigInteger revokedSerialNumber) throws Exception {
JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils();
Date now = new Date();
X500Name issuer = X500Name.getInstance(PrincipalUtil.getIssuerX509Principal(caCert).getEncoded());
X509v2CRLBuilder builder = new X509v2CRLBuilder(issuer, new Date());
builder.addCRLEntry(revokedSerialNumber, new Date(), 9);
builder.setNextUpdate(new Date(now.getTime() + TestConstants.NEXT_UPDATE_PERIOD));
builder.addExtension(new ASN1ObjectIdentifier(TestConstants.CRL_DISTRIBUTION_POINT_EXTENSION), false, extUtils.createAuthorityKeyIdentifier(caCert));
builder.addExtension(new ASN1ObjectIdentifier("2.5.29.20"), false, new CRLNumber(BigInteger.valueOf(1)));
JcaContentSignerBuilder contentSignerBuilder = new JcaContentSignerBuilder("SHA256WithRSAEncryption");
contentSignerBuilder.setProvider(Constants.BOUNCY_CASTLE_PROVIDER);
X509CRLHolder cRLHolder = builder.build(contentSignerBuilder.build(caPrivateKey));
JcaX509CRLConverter converter = new JcaX509CRLConverter();
converter.setProvider(Constants.BOUNCY_CASTLE_PROVIDER);
return converter.getCRL(cRLHolder);
}
Also used :
JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)
JcaX509CRLConverter(org.bouncycastle.cert.jcajce.JcaX509CRLConverter)
CRLNumber(org.bouncycastle.asn1.x509.CRLNumber)
JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)
X509CRLHolder(org.bouncycastle.cert.X509CRLHolder)
X509v2CRLBuilder(org.bouncycastle.cert.X509v2CRLBuilder)
X500Name(org.bouncycastle.asn1.x500.X500Name)
Date(java.util.Date)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Example 15 with CRLNumber
use of com.github.zhenwei.core.asn1.x509.CRLNumber in project qpid-broker-j by apache.
the class TlsResourceBuilder method createCertificateRevocationList.
static X509CRL createCertificateRevocationList(final KeyCertificatePair ca, X509Certificate... certificate) throws CRLException {
try {
final X500Name issuerName = X500Name.getInstance(RFC4519Style.INSTANCE, ca.getCertificate().getSubjectX500Principal().getEncoded());
final Instant nextUpdate = Instant.now().plus(10, ChronoUnit.DAYS);
final Date now = new Date();
final X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuerName, now);
crlBuilder.setNextUpdate(new Date(nextUpdate.toEpochMilli()));
for (X509Certificate c : certificate) {
crlBuilder.addCRLEntry(c.getSerialNumber(), now, CRLReason.privilegeWithdrawn);
}
crlBuilder.addExtension(createAuthorityKeyExtension(ca.getCertificate().getPublicKey()));
crlBuilder.addExtension(Extension.cRLNumber, false, new CRLNumber(generateSerialNumber()));
final ContentSigner contentSigner = createContentSigner(ca.getPrivateKey());
final X509CRLHolder crl = crlBuilder.build(contentSigner);
return new JcaX509CRLConverter().getCRL(crl);
} catch (OperatorException | IOException | CertificateException e) {
throw new CRLException(e);
}
}
Also used :
CRLNumber(org.bouncycastle.asn1.x509.CRLNumber)
Instant(java.time.Instant)
ContentSigner(org.bouncycastle.operator.ContentSigner)
CertificateException(java.security.cert.CertificateException)
X500Name(org.bouncycastle.asn1.x500.X500Name)
IOException(java.io.IOException)
Date(java.util.Date)
X509Certificate(java.security.cert.X509Certificate)
JcaX509CRLConverter(org.bouncycastle.cert.jcajce.JcaX509CRLConverter)
X509CRLHolder(org.bouncycastle.cert.X509CRLHolder)
X509v2CRLBuilder(org.bouncycastle.cert.X509v2CRLBuilder)
CRLException(java.security.cert.CRLException)
OperatorException(org.bouncycastle.operator.OperatorException)
Aggregations
CRLNumber (org.bouncycastle.asn1.x509.CRLNumber)18
BigInteger (java.math.BigInteger)15
X509v2CRLBuilder (org.bouncycastle.cert.X509v2CRLBuilder)13
Date (java.util.Date)12
X509CRLHolder (org.bouncycastle.cert.X509CRLHolder)12
CRLException (java.security.cert.CRLException)11
JcaX509ExtensionUtils (org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)11
HashSet (java.util.HashSet)10
IOException (java.io.IOException)8
X509CRL (java.security.cert.X509CRL)8
JcaX509CRLConverter (org.bouncycastle.cert.jcajce.JcaX509CRLConverter)8
X500Name (org.bouncycastle.asn1.x500.X500Name)7
AuthorityKeyIdentifier (org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)7
Enumeration (java.util.Enumeration)6
Set (java.util.Set)6
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)6
File (java.io.File)5
InvalidKeyException (java.security.InvalidKeyException)5
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)5
NoSuchProviderException (java.security.NoSuchProviderException)5
