use of com.github.zhenwei.core.asn1.x509.CertificateList in project kubernetes-client by fabric8io.
the class CertificateCreate method main.
public static void main(String[] args) {
try (NamespacedCertManagerClient certManagerClient = new DefaultCertManagerClient()) {
String namespace = "default";
Certificate certificate = new CertificateBuilder().build();
// Create Certificate
certManagerClient.v1alpha3().certificates().inNamespace(namespace).create(certificate);
System.out.println("Created: " + certificate.getMetadata().getName());
// List Certificate
CertificateList certificateList = certManagerClient.v1alpha3().certificates().inNamespace(namespace).list();
System.out.println("There are " + certificateList.getItems().size() + " TaskRun objects in " + namespace);
}
}
use of com.github.zhenwei.core.asn1.x509.CertificateList in project supply-chain-tools by secure-device-onboard.
the class OnDieSignatureValidator method checkRevocations.
private boolean checkRevocations(List<Certificate> certificateList) {
// Check revocations first.
try {
CertificateFactory certificateFactory = CertificateFactory.getInstance("X509");
for (Certificate cert : certificateList) {
X509Certificate x509cert = (X509Certificate) cert;
X509CertificateHolder certHolder = new X509CertificateHolder(x509cert.getEncoded());
CRLDistPoint cdp = CRLDistPoint.fromExtensions(certHolder.getExtensions());
if (cdp != null) {
DistributionPoint[] distPoints = cdp.getDistributionPoints();
for (DistributionPoint dp : distPoints) {
GeneralName[] generalNames = GeneralNames.getInstance(dp.getDistributionPoint().getName()).getNames();
for (GeneralName generalName : generalNames) {
byte[] crlBytes = onDieCache.getCertOrCrl(generalName.toString());
if (crlBytes == null) {
LoggerFactory.getLogger(getClass()).error("CRL ({}) not found in cache for cert: {}", generalName.getName().toString(), x509cert.getIssuerX500Principal().getName());
return false;
} else {
CRL crl = certificateFactory.generateCRL(new ByteArrayInputStream(crlBytes));
if (crl.isRevoked(cert)) {
return false;
}
}
}
}
}
}
} catch (IOException | CertificateException | CRLException ex) {
return false;
}
return true;
}
use of com.github.zhenwei.core.asn1.x509.CertificateList in project robovm by robovm.
the class X509CertFactoryImpl method engineGenerateCRLs.
/**
* @see java.security.cert.CertificateFactorySpi#engineGenerateCRLs(InputStream)
* method documentation for more info
*/
public Collection<? extends CRL> engineGenerateCRLs(InputStream inStream) throws CRLException {
if (inStream == null) {
throw new CRLException("inStream == null");
}
ArrayList<CRL> result = new ArrayList<CRL>();
try {
if (!inStream.markSupported()) {
inStream = new RestoringInputStream(inStream);
}
// if it is PEM encoded form this array will contain the encoding
// so ((it is PEM) <-> (encoding != null))
byte[] encoding = null;
// The following by SEQUENCE ASN.1 tag, used for
// recognizing the data format
// (is it PKCS7 ContentInfo structure, X.509 CRL, or
// unsupported encoding)
int second_asn1_tag = -1;
inStream.mark(1);
int ch;
while ((ch = inStream.read()) != -1) {
// check if it is PEM encoded form
if (ch == '-') {
// beginning of PEM encoding ('-' char)
// decode PEM chunk and store its content (ASN.1 encoding)
encoding = decodePEM(inStream, FREE_BOUND_SUFFIX);
} else if (ch == 0x30) {
// beginning of ASN.1 sequence (0x30)
encoding = null;
inStream.reset();
// prepare for data format determination
inStream.mark(CRL_CACHE_SEED_LENGTH);
} else {
// unsupported data
if (result.size() == 0) {
throw new CRLException("Unsupported encoding");
} else {
// it can be trailing user data,
// so keep it in the stream
inStream.reset();
return result;
}
}
// Check the data format
BerInputStream in = (encoding == null) ? new BerInputStream(inStream) : new BerInputStream(encoding);
// read the next ASN.1 tag
second_asn1_tag = in.next();
if (encoding == null) {
// keep whole structure in the stream
inStream.reset();
}
// check if it is a TBSCertList structure
if (second_asn1_tag != ASN1Constants.TAG_C_SEQUENCE) {
if (result.size() == 0) {
// whether it is PKCS7 structure
break;
} else {
// so return what we already read
return result;
}
} else {
if (encoding == null) {
result.add(getCRL(inStream));
} else {
result.add(getCRL(encoding));
}
}
inStream.mark(1);
}
if (result.size() != 0) {
// the stream was read out
return result;
} else if (ch == -1) {
throw new CRLException("There is no data in the stream");
}
// else: check if it is PKCS7
if (second_asn1_tag == ASN1Constants.TAG_OID) {
// it is PKCS7 ContentInfo structure, so decode it
ContentInfo info = (ContentInfo) ((encoding != null) ? ContentInfo.ASN1.decode(encoding) : ContentInfo.ASN1.decode(inStream));
// retrieve SignedData
SignedData data = info.getSignedData();
if (data == null) {
throw new CRLException("Invalid PKCS7 data provided");
}
List<CertificateList> crls = data.getCRLs();
if (crls != null) {
for (CertificateList crl : crls) {
result.add(new X509CRLImpl(crl));
}
}
return result;
}
// else: Unknown data format
throw new CRLException("Unsupported encoding");
} catch (IOException e) {
throw new CRLException(e);
}
}
use of com.github.zhenwei.core.asn1.x509.CertificateList in project xipki by xipki.
the class X509CaCmpResponderImpl method cmpGeneralMsg.
// method cmpRevokeOrUnrevokeOrRemoveCertificates
private PKIBody cmpGeneralMsg(PKIHeaderBuilder respHeader, CmpControl cmpControl, PKIHeader reqHeader, PKIBody reqBody, CmpRequestorInfo requestor, ASN1OctetString tid, String msgId, AuditEvent event) throws InsuffientPermissionException {
GenMsgContent genMsgBody = GenMsgContent.getInstance(reqBody.getContent());
InfoTypeAndValue[] itvs = genMsgBody.toInfoTypeAndValueArray();
InfoTypeAndValue itv = null;
if (itvs != null && itvs.length > 0) {
for (InfoTypeAndValue entry : itvs) {
String itvType = entry.getInfoType().getId();
if (KNOWN_GENMSG_IDS.contains(itvType)) {
itv = entry;
break;
}
}
}
if (itv == null) {
String statusMessage = "PKIBody type " + PKIBody.TYPE_GEN_MSG + " is only supported with the sub-types " + KNOWN_GENMSG_IDS.toString();
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badRequest, statusMessage);
}
InfoTypeAndValue itvResp = null;
ASN1ObjectIdentifier infoType = itv.getInfoType();
int failureInfo;
try {
X509Ca ca = getCa();
if (CMPObjectIdentifiers.it_currentCRL.equals(infoType)) {
event.addEventType(CaAuditConstants.TYPE_CMP_genm_currentCrl);
checkPermission(requestor, PermissionConstants.GET_CRL);
CertificateList crl = ca.getBcCurrentCrl();
if (itv.getInfoValue() == null) {
// as defined in RFC 4210
crl = ca.getBcCurrentCrl();
} else {
// xipki extension
ASN1Integer crlNumber = ASN1Integer.getInstance(itv.getInfoValue());
crl = ca.getBcCrl(crlNumber.getPositiveValue());
}
if (crl == null) {
String statusMessage = "no CRL is available";
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.systemFailure, statusMessage);
}
itvResp = new InfoTypeAndValue(infoType, crl);
} else if (ObjectIdentifiers.id_xipki_cmp_cmpGenmsg.equals(infoType)) {
ASN1Encodable asn1 = itv.getInfoValue();
ASN1Integer asn1Code = null;
ASN1Encodable reqValue = null;
try {
ASN1Sequence seq = ASN1Sequence.getInstance(asn1);
asn1Code = ASN1Integer.getInstance(seq.getObjectAt(0));
if (seq.size() > 1) {
reqValue = seq.getObjectAt(1);
}
} catch (IllegalArgumentException ex) {
String statusMessage = "invalid value of the InfoTypeAndValue for " + ObjectIdentifiers.id_xipki_cmp_cmpGenmsg.getId();
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badRequest, statusMessage);
}
ASN1Encodable respValue;
int action = asn1Code.getPositiveValue().intValue();
switch(action) {
case XiSecurityConstants.CMP_ACTION_GEN_CRL:
event.addEventType(CaAuditConstants.TYPE_CMP_genm_genCrl);
checkPermission(requestor, PermissionConstants.GEN_CRL);
X509CRL tmpCrl = ca.generateCrlOnDemand(msgId);
if (tmpCrl == null) {
String statusMessage = "CRL generation is not activated";
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.systemFailure, statusMessage);
} else {
respValue = CertificateList.getInstance(tmpCrl.getEncoded());
}
break;
case XiSecurityConstants.CMP_ACTION_GET_CRL_WITH_SN:
event.addEventType(CaAuditConstants.TYPE_CMP_genm_crlForNumber);
checkPermission(requestor, PermissionConstants.GET_CRL);
ASN1Integer crlNumber = ASN1Integer.getInstance(reqValue);
respValue = ca.getBcCrl(crlNumber.getPositiveValue());
if (respValue == null) {
String statusMessage = "no CRL is available";
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.systemFailure, statusMessage);
}
break;
case XiSecurityConstants.CMP_ACTION_GET_CAINFO:
event.addEventType(CaAuditConstants.TYPE_CMP_genm_cainfo);
Set<Integer> acceptVersions = new HashSet<>();
if (reqValue != null) {
ASN1Sequence seq = DERSequence.getInstance(reqValue);
int size = seq.size();
for (int i = 0; i < size; i++) {
ASN1Integer ai = ASN1Integer.getInstance(seq.getObjectAt(i));
acceptVersions.add(ai.getPositiveValue().intValue());
}
}
if (CollectionUtil.isEmpty(acceptVersions)) {
acceptVersions.add(1);
}
String systemInfo = getSystemInfo(requestor, acceptVersions);
respValue = new DERUTF8String(systemInfo);
break;
default:
String statusMessage = "unsupported XiPKI action code '" + action + "'";
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badRequest, statusMessage);
}
// end switch (action)
ASN1EncodableVector vec = new ASN1EncodableVector();
vec.add(asn1Code);
if (respValue != null) {
vec.add(respValue);
}
itvResp = new InfoTypeAndValue(infoType, new DERSequence(vec));
} else if (ObjectIdentifiers.id_xipki_cmp_cacerts.equals(infoType)) {
event.addEventType(CaAuditConstants.TYPE_CMP_genm_cacerts);
CMPCertificate caCert = ca.getCaInfo().getCertInCmpFormat();
itvResp = new InfoTypeAndValue(infoType, new DERSequence(caCert));
}
GenRepContent genRepContent = new GenRepContent(itvResp);
return new PKIBody(PKIBody.TYPE_GEN_REP, genRepContent);
} catch (OperationException ex) {
failureInfo = getPKiFailureInfo(ex);
ErrorCode code = ex.getErrorCode();
String errorMessage;
switch(code) {
case DATABASE_FAILURE:
case SYSTEM_FAILURE:
errorMessage = code.name();
break;
default:
errorMessage = code.name() + ": " + ex.getErrorMessage();
break;
}
return buildErrorMsgPkiBody(PKIStatus.rejection, failureInfo, errorMessage);
} catch (CRLException ex) {
String statusMessage = "CRLException: " + ex.getMessage();
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.systemFailure, statusMessage);
}
}
use of com.github.zhenwei.core.asn1.x509.CertificateList in project xipki by xipki.
the class X509Ca method getBcCrl.
public CertificateList getBcCrl(BigInteger crlNumber) throws OperationException {
LOG.info(" START getCrl: ca={}, crlNumber={}", caIdent, crlNumber);
boolean successful = false;
try {
byte[] encodedCrl = certstore.getEncodedCrl(caIdent, crlNumber);
if (encodedCrl == null) {
return null;
}
try {
CertificateList crl = CertificateList.getInstance(encodedCrl);
successful = true;
if (LOG.isInfoEnabled()) {
LOG.info("SUCCESSFUL getCrl: ca={}, thisUpdate={}", caIdent, crl.getThisUpdate().getTime());
}
return crl;
} catch (RuntimeException ex) {
throw new OperationException(ErrorCode.SYSTEM_FAILURE, ex);
}
} finally {
if (!successful) {
LOG.info(" FAILED getCrl: ca={}", caIdent);
}
}
}
Aggregations