Search in sources :

Example 26 with CRLNumber

use of com.github.zhenwei.core.asn1.x509.CRLNumber in project candlepin by candlepin.

the class X509CRLEntryStreamTest method testCRLwithoutUpdateTime.

@Test
public void testCRLwithoutUpdateTime() throws Exception {
    X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuer, new Date());
    AuthorityKeyIdentifier identifier = new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(keyPair.getPublic());
    crlBuilder.addExtension(Extension.authorityKeyIdentifier, false, identifier);
    crlBuilder.addExtension(Extension.cRLNumber, false, new CRLNumber(new BigInteger("127")));
    crlBuilder.addCRLEntry(new BigInteger("100"), new Date(), CRLReason.unspecified);
    X509CRLHolder holder = crlBuilder.build(signer);
    File noUpdateTimeCrl = new File(folder.getRoot(), "test.crl");
    FileUtils.writeByteArrayToFile(noUpdateTimeCrl, holder.getEncoded());
    X509CRLEntryStream stream = new X509CRLEntryStream(noUpdateTimeCrl);
    try {
        Set<BigInteger> streamedSerials = new HashSet<>();
        while (stream.hasNext()) {
            streamedSerials.add(getSerial(stream.next()));
        }
        assertEquals(1, streamedSerials.size());
        assertTrue(streamedSerials.contains(new BigInteger("100")));
    } finally {
        stream.close();
    }
}
Also used : JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils) CRLNumber(org.bouncycastle.asn1.x509.CRLNumber) X509CRLHolder(org.bouncycastle.cert.X509CRLHolder) BigInteger(java.math.BigInteger) X509v2CRLBuilder(org.bouncycastle.cert.X509v2CRLBuilder) AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier) File(java.io.File) Date(java.util.Date) HashSet(java.util.HashSet) Test(org.junit.Test)

Example 27 with CRLNumber

use of com.github.zhenwei.core.asn1.x509.CRLNumber in project certmgr by hdecarne.

the class X509CRLHelper method generateCRL.

/**
 * Generate a CRL object.
 *
 * @param currentCRL The current CRL object in case of an update (may be {@code null}).
 * @param lastUpdate The last update timestamp to set.
 * @param nextUpdate The next update timestamp to set (may be {@code null}).
 * @param revokeEntries The revoked entries.
 * @param issuerDN The CRL issuer's DN.
 * @param issuerKey The CRL issuer's key pair.
 * @param signatureAlgorithm The signature algorithm to use for signing.
 * @return The generated CRL object.
 * @throws IOException if an error occurs during generation.
 */
public static X509CRL generateCRL(@Nullable X509CRL currentCRL, Date lastUpdate, @Nullable Date nextUpdate, Map<BigInteger, ReasonFlag> revokeEntries, X500Principal issuerDN, KeyPair issuerKey, SignatureAlgorithm signatureAlgorithm) throws IOException {
    LOG.info("CRL generation ''{0}'' started...", issuerDN);
    // Initialize CRL builder
    JcaX509v2CRLBuilder crlBuilder = new JcaX509v2CRLBuilder(issuerDN, lastUpdate);
    if (nextUpdate != null) {
        crlBuilder.setNextUpdate(nextUpdate);
    }
    for (Map.Entry<BigInteger, ReasonFlag> revokeEntry : revokeEntries.entrySet()) {
        crlBuilder.addCRLEntry(revokeEntry.getKey(), lastUpdate, revokeEntry.getValue().value());
    }
    X509CRL crl;
    try {
        // Add extensions
        JcaX509ExtensionUtils extensionUtils = new JcaX509ExtensionUtils();
        crlBuilder.addExtension(Extension.authorityKeyIdentifier, false, extensionUtils.createAuthorityKeyIdentifier(issuerKey.getPublic()));
        BigInteger nextCRLNumber = getNextCRLNumber(currentCRL);
        crlBuilder.addExtension(Extension.cRLNumber, false, new CRLNumber(nextCRLNumber));
        // Sign and create CRL object
        ContentSigner crlSigner = new JcaContentSignerBuilder(signatureAlgorithm.algorithm()).build(issuerKey.getPrivate());
        crl = new JcaX509CRLConverter().getCRL(crlBuilder.build(crlSigner));
    } catch (GeneralSecurityException | OperatorCreationException e) {
        throw new CertProviderException(e);
    }
    LOG.info("CRT generation ''{0}'' done", issuerDN);
    return crl;
}
Also used : JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils) X509CRL(java.security.cert.X509CRL) CRLNumber(org.bouncycastle.asn1.x509.CRLNumber) JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder) GeneralSecurityException(java.security.GeneralSecurityException) ContentSigner(org.bouncycastle.operator.ContentSigner) JcaX509v2CRLBuilder(org.bouncycastle.cert.jcajce.JcaX509v2CRLBuilder) CertProviderException(de.carne.certmgr.certs.CertProviderException) JcaX509CRLConverter(org.bouncycastle.cert.jcajce.JcaX509CRLConverter) BigInteger(java.math.BigInteger) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException) Map(java.util.Map)

Example 28 with CRLNumber

use of com.github.zhenwei.core.asn1.x509.CRLNumber in project xipki by xipki.

the class CertStore method addCrl.

// method getThisUpdateOfCurrentCrl
public void addCrl(NameId ca, X509CRLHolder crl) throws OperationException, CRLException {
    notNulls(ca, "ca", crl, "crl");
    Extensions extns = crl.getExtensions();
    byte[] extnValue = X509Util.getCoreExtValue(extns, Extension.cRLNumber);
    Long crlNumber = (extnValue == null) ? null : ASN1Integer.getInstance(extnValue).getPositiveValue().longValue();
    extnValue = X509Util.getCoreExtValue(extns, Extension.deltaCRLIndicator);
    Long baseCrlNumber = null;
    if (extnValue != null) {
        baseCrlNumber = ASN1Integer.getInstance(extnValue).getPositiveValue().longValue();
    }
    int currentMaxCrlId = (int) getMax("CRL", "ID");
    int crlId = Math.max(cachedCrlId.get(), currentMaxCrlId) + 1;
    cachedCrlId.set(crlId);
    byte[] encodedCrl;
    try {
        encodedCrl = crl.getEncoded();
    } catch (IOException ex) {
        throw new CRLException(ex.getMessage(), ex);
    }
    boolean withSha1Column = dbSchemaVersion >= 7;
    String b64Sha1 = withSha1Column ? HashAlgo.SHA1.base64Hash(encodedCrl) : null;
    String b64Crl = Base64.encodeToString(encodedCrl);
    List<SqlColumn2> columns = new ArrayList<>(10);
    columns.add(col2Int(crlId));
    columns.add(col2Int(ca.getId()));
    columns.add(col2Long(crlNumber));
    columns.add(col2Long(crl.getThisUpdate().getTime() / 1000));
    columns.add(col2Long(getDateSeconds(crl.getNextUpdate())));
    columns.add(col2Bool((baseCrlNumber != null)));
    columns.add(col2Long(baseCrlNumber));
    // in this version we set CRL_SCOPE to fixed value 0
    columns.add(col2Int(0));
    if (withSha1Column) {
        columns.add(col2Str(b64Sha1));
    }
    columns.add(col2Str(b64Crl));
    execUpdatePrepStmt0(SQL_ADD_CRL, columns.toArray(new SqlColumn2[0]));
}
Also used : IOException(java.io.IOException) Extensions(org.bouncycastle.asn1.x509.Extensions) CRLException(java.security.cert.CRLException)

Example 29 with CRLNumber

use of com.github.zhenwei.core.asn1.x509.CRLNumber in project zookeeper by apache.

the class QuorumSSLTest method buildCRL.

private void buildCRL(X509Certificate x509Certificate, String crlPath) throws Exception {
    X509v2CRLBuilder builder = new JcaX509v2CRLBuilder(x509Certificate.getIssuerX500Principal(), certStartTime);
    builder.addCRLEntry(x509Certificate.getSerialNumber(), certStartTime, CRLReason.cACompromise);
    builder.setNextUpdate(certEndTime);
    builder.addExtension(Extension.authorityKeyIdentifier, false, new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(rootCertificate));
    builder.addExtension(Extension.cRLNumber, false, new CRLNumber(new BigInteger("1000")));
    X509CRLHolder cRLHolder = builder.build(contentSigner);
    PemWriter pemWriter = new PemWriter(new FileWriter(crlPath));
    pemWriter.writeObject(new MiscPEMGenerator(cRLHolder));
    pemWriter.flush();
    pemWriter.close();
}
Also used : MiscPEMGenerator(org.bouncycastle.openssl.MiscPEMGenerator) JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils) PemWriter(org.bouncycastle.util.io.pem.PemWriter) CRLNumber(org.bouncycastle.asn1.x509.CRLNumber) FileWriter(java.io.FileWriter) X509CRLHolder(org.bouncycastle.cert.X509CRLHolder) BigInteger(java.math.BigInteger) JcaX509v2CRLBuilder(org.bouncycastle.cert.jcajce.JcaX509v2CRLBuilder) X509v2CRLBuilder(org.bouncycastle.cert.X509v2CRLBuilder) JcaX509v2CRLBuilder(org.bouncycastle.cert.jcajce.JcaX509v2CRLBuilder)

Example 30 with CRLNumber

use of com.github.zhenwei.core.asn1.x509.CRLNumber in project wso2-synapse by wso2.

the class CRLVerifierTest method createCRL.

/**
 * Creates a fake CRL for the fake CA. The fake certificate with the given revokedSerialNumber will be marked
 * as Revoked in the returned CRL.
 * @param caCert the fake CA certificate.
 * @param caPrivateKey private key of the fake CA.
 * @param revokedSerialNumber the serial number of the fake peer certificate made to be marked as revoked.
 * @return the created fake CRL
 * @throws Exception
 */
public static X509CRL createCRL(X509Certificate caCert, PrivateKey caPrivateKey, BigInteger revokedSerialNumber) throws Exception {
    JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils();
    Date now = new Date();
    X500Name issuer = X500Name.getInstance(PrincipalUtil.getIssuerX509Principal(caCert).getEncoded());
    X509v2CRLBuilder builder = new X509v2CRLBuilder(issuer, new Date());
    builder.addCRLEntry(revokedSerialNumber, new Date(), 0);
    builder.setNextUpdate(new Date(now.getTime() + TestConstants.NEXT_UPDATE_PERIOD));
    builder.addExtension(Extension.cRLDistributionPoints, false, extUtils.createAuthorityKeyIdentifier(caCert));
    builder.addExtension(Extension.cRLNumber, false, new CRLNumber(BigInteger.valueOf(1)));
    JcaContentSignerBuilder contentSignerBuilder = new JcaContentSignerBuilder("SHA256WithRSAEncryption");
    contentSignerBuilder.setProvider(CryptoConstants.BOUNCY_CASTLE_PROVIDER);
    X509CRLHolder cRLHolder = builder.build(contentSignerBuilder.build(caPrivateKey));
    JcaX509CRLConverter converter = new JcaX509CRLConverter();
    converter.setProvider(CryptoConstants.BOUNCY_CASTLE_PROVIDER);
    return converter.getCRL(cRLHolder);
}
Also used : JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils) JcaX509CRLConverter(org.bouncycastle.cert.jcajce.JcaX509CRLConverter) CRLNumber(org.bouncycastle.asn1.x509.CRLNumber) JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder) X509CRLHolder(org.bouncycastle.cert.X509CRLHolder) X509v2CRLBuilder(org.bouncycastle.cert.X509v2CRLBuilder) X500Name(org.bouncycastle.asn1.x500.X500Name) Date(java.util.Date)

Aggregations

CRLNumber (org.bouncycastle.asn1.x509.CRLNumber)18 BigInteger (java.math.BigInteger)15 X509v2CRLBuilder (org.bouncycastle.cert.X509v2CRLBuilder)13 Date (java.util.Date)12 X509CRLHolder (org.bouncycastle.cert.X509CRLHolder)12 CRLException (java.security.cert.CRLException)11 JcaX509ExtensionUtils (org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)11 HashSet (java.util.HashSet)10 IOException (java.io.IOException)8 X509CRL (java.security.cert.X509CRL)8 JcaX509CRLConverter (org.bouncycastle.cert.jcajce.JcaX509CRLConverter)8 X500Name (org.bouncycastle.asn1.x500.X500Name)7 AuthorityKeyIdentifier (org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)7 Enumeration (java.util.Enumeration)6 Set (java.util.Set)6 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)6 File (java.io.File)5 InvalidKeyException (java.security.InvalidKeyException)5 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)5 NoSuchProviderException (java.security.NoSuchProviderException)5