use of com.github.zhenwei.core.asn1.x509.CRLNumber in project candlepin by candlepin.
the class X509CRLEntryStreamTest method testCRLwithoutUpdateTime.
@Test
public void testCRLwithoutUpdateTime() throws Exception {
X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuer, new Date());
AuthorityKeyIdentifier identifier = new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(keyPair.getPublic());
crlBuilder.addExtension(Extension.authorityKeyIdentifier, false, identifier);
crlBuilder.addExtension(Extension.cRLNumber, false, new CRLNumber(new BigInteger("127")));
crlBuilder.addCRLEntry(new BigInteger("100"), new Date(), CRLReason.unspecified);
X509CRLHolder holder = crlBuilder.build(signer);
File noUpdateTimeCrl = new File(folder.getRoot(), "test.crl");
FileUtils.writeByteArrayToFile(noUpdateTimeCrl, holder.getEncoded());
X509CRLEntryStream stream = new X509CRLEntryStream(noUpdateTimeCrl);
try {
Set<BigInteger> streamedSerials = new HashSet<>();
while (stream.hasNext()) {
streamedSerials.add(getSerial(stream.next()));
}
assertEquals(1, streamedSerials.size());
assertTrue(streamedSerials.contains(new BigInteger("100")));
} finally {
stream.close();
}
}
use of com.github.zhenwei.core.asn1.x509.CRLNumber in project certmgr by hdecarne.
the class X509CRLHelper method generateCRL.
/**
* Generate a CRL object.
*
* @param currentCRL The current CRL object in case of an update (may be {@code null}).
* @param lastUpdate The last update timestamp to set.
* @param nextUpdate The next update timestamp to set (may be {@code null}).
* @param revokeEntries The revoked entries.
* @param issuerDN The CRL issuer's DN.
* @param issuerKey The CRL issuer's key pair.
* @param signatureAlgorithm The signature algorithm to use for signing.
* @return The generated CRL object.
* @throws IOException if an error occurs during generation.
*/
public static X509CRL generateCRL(@Nullable X509CRL currentCRL, Date lastUpdate, @Nullable Date nextUpdate, Map<BigInteger, ReasonFlag> revokeEntries, X500Principal issuerDN, KeyPair issuerKey, SignatureAlgorithm signatureAlgorithm) throws IOException {
LOG.info("CRL generation ''{0}'' started...", issuerDN);
// Initialize CRL builder
JcaX509v2CRLBuilder crlBuilder = new JcaX509v2CRLBuilder(issuerDN, lastUpdate);
if (nextUpdate != null) {
crlBuilder.setNextUpdate(nextUpdate);
}
for (Map.Entry<BigInteger, ReasonFlag> revokeEntry : revokeEntries.entrySet()) {
crlBuilder.addCRLEntry(revokeEntry.getKey(), lastUpdate, revokeEntry.getValue().value());
}
X509CRL crl;
try {
// Add extensions
JcaX509ExtensionUtils extensionUtils = new JcaX509ExtensionUtils();
crlBuilder.addExtension(Extension.authorityKeyIdentifier, false, extensionUtils.createAuthorityKeyIdentifier(issuerKey.getPublic()));
BigInteger nextCRLNumber = getNextCRLNumber(currentCRL);
crlBuilder.addExtension(Extension.cRLNumber, false, new CRLNumber(nextCRLNumber));
// Sign and create CRL object
ContentSigner crlSigner = new JcaContentSignerBuilder(signatureAlgorithm.algorithm()).build(issuerKey.getPrivate());
crl = new JcaX509CRLConverter().getCRL(crlBuilder.build(crlSigner));
} catch (GeneralSecurityException | OperatorCreationException e) {
throw new CertProviderException(e);
}
LOG.info("CRT generation ''{0}'' done", issuerDN);
return crl;
}
use of com.github.zhenwei.core.asn1.x509.CRLNumber in project xipki by xipki.
the class CertStore method addCrl.
// method getThisUpdateOfCurrentCrl
public void addCrl(NameId ca, X509CRLHolder crl) throws OperationException, CRLException {
notNulls(ca, "ca", crl, "crl");
Extensions extns = crl.getExtensions();
byte[] extnValue = X509Util.getCoreExtValue(extns, Extension.cRLNumber);
Long crlNumber = (extnValue == null) ? null : ASN1Integer.getInstance(extnValue).getPositiveValue().longValue();
extnValue = X509Util.getCoreExtValue(extns, Extension.deltaCRLIndicator);
Long baseCrlNumber = null;
if (extnValue != null) {
baseCrlNumber = ASN1Integer.getInstance(extnValue).getPositiveValue().longValue();
}
int currentMaxCrlId = (int) getMax("CRL", "ID");
int crlId = Math.max(cachedCrlId.get(), currentMaxCrlId) + 1;
cachedCrlId.set(crlId);
byte[] encodedCrl;
try {
encodedCrl = crl.getEncoded();
} catch (IOException ex) {
throw new CRLException(ex.getMessage(), ex);
}
boolean withSha1Column = dbSchemaVersion >= 7;
String b64Sha1 = withSha1Column ? HashAlgo.SHA1.base64Hash(encodedCrl) : null;
String b64Crl = Base64.encodeToString(encodedCrl);
List<SqlColumn2> columns = new ArrayList<>(10);
columns.add(col2Int(crlId));
columns.add(col2Int(ca.getId()));
columns.add(col2Long(crlNumber));
columns.add(col2Long(crl.getThisUpdate().getTime() / 1000));
columns.add(col2Long(getDateSeconds(crl.getNextUpdate())));
columns.add(col2Bool((baseCrlNumber != null)));
columns.add(col2Long(baseCrlNumber));
// in this version we set CRL_SCOPE to fixed value 0
columns.add(col2Int(0));
if (withSha1Column) {
columns.add(col2Str(b64Sha1));
}
columns.add(col2Str(b64Crl));
execUpdatePrepStmt0(SQL_ADD_CRL, columns.toArray(new SqlColumn2[0]));
}
use of com.github.zhenwei.core.asn1.x509.CRLNumber in project zookeeper by apache.
the class QuorumSSLTest method buildCRL.
private void buildCRL(X509Certificate x509Certificate, String crlPath) throws Exception {
X509v2CRLBuilder builder = new JcaX509v2CRLBuilder(x509Certificate.getIssuerX500Principal(), certStartTime);
builder.addCRLEntry(x509Certificate.getSerialNumber(), certStartTime, CRLReason.cACompromise);
builder.setNextUpdate(certEndTime);
builder.addExtension(Extension.authorityKeyIdentifier, false, new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(rootCertificate));
builder.addExtension(Extension.cRLNumber, false, new CRLNumber(new BigInteger("1000")));
X509CRLHolder cRLHolder = builder.build(contentSigner);
PemWriter pemWriter = new PemWriter(new FileWriter(crlPath));
pemWriter.writeObject(new MiscPEMGenerator(cRLHolder));
pemWriter.flush();
pemWriter.close();
}
use of com.github.zhenwei.core.asn1.x509.CRLNumber in project wso2-synapse by wso2.
the class CRLVerifierTest method createCRL.
/**
* Creates a fake CRL for the fake CA. The fake certificate with the given revokedSerialNumber will be marked
* as Revoked in the returned CRL.
* @param caCert the fake CA certificate.
* @param caPrivateKey private key of the fake CA.
* @param revokedSerialNumber the serial number of the fake peer certificate made to be marked as revoked.
* @return the created fake CRL
* @throws Exception
*/
public static X509CRL createCRL(X509Certificate caCert, PrivateKey caPrivateKey, BigInteger revokedSerialNumber) throws Exception {
JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils();
Date now = new Date();
X500Name issuer = X500Name.getInstance(PrincipalUtil.getIssuerX509Principal(caCert).getEncoded());
X509v2CRLBuilder builder = new X509v2CRLBuilder(issuer, new Date());
builder.addCRLEntry(revokedSerialNumber, new Date(), 0);
builder.setNextUpdate(new Date(now.getTime() + TestConstants.NEXT_UPDATE_PERIOD));
builder.addExtension(Extension.cRLDistributionPoints, false, extUtils.createAuthorityKeyIdentifier(caCert));
builder.addExtension(Extension.cRLNumber, false, new CRLNumber(BigInteger.valueOf(1)));
JcaContentSignerBuilder contentSignerBuilder = new JcaContentSignerBuilder("SHA256WithRSAEncryption");
contentSignerBuilder.setProvider(CryptoConstants.BOUNCY_CASTLE_PROVIDER);
X509CRLHolder cRLHolder = builder.build(contentSignerBuilder.build(caPrivateKey));
JcaX509CRLConverter converter = new JcaX509CRLConverter();
converter.setProvider(CryptoConstants.BOUNCY_CASTLE_PROVIDER);
return converter.getCRL(cRLHolder);
}
Aggregations