Example 26 with CertificateList
use of com.github.zhenwei.core.asn1.x509.CertificateList in project xipki by xipki.
the class ScepResponder method getCrl.
// method buildSignedData
private SignedData getCrl(X509Ca ca, BigInteger serialNumber) throws FailInfoException, OperationException {
if (!control.isSupportGetCrl()) {
throw FailInfoException.BAD_REQUEST;
}
CertificateList crl = ca.getBcCurrentCrl(MSGID_scep);
if (crl == null) {
LOG.error("found no CRL");
throw FailInfoException.BAD_REQUEST;
}
CMSSignedDataGenerator cmsSignedDataGen = new CMSSignedDataGenerator();
cmsSignedDataGen.addCRL(new X509CRLHolder(crl));
CMSSignedData signedData;
try {
signedData = cmsSignedDataGen.generate(new CMSAbsentContent());
} catch (CMSException ex) {
LogUtil.error(LOG, ex, "could not generate CMSSignedData");
throw new OperationException(SYSTEM_FAILURE, ex);
}
return SignedData.getInstance(signedData.toASN1Structure().getContent());
}
Also used :
CertificateList(org.bouncycastle.asn1.x509.CertificateList)
X509CRLHolder(org.bouncycastle.cert.X509CRLHolder)
OperationException(org.xipki.ca.api.OperationException)
Example 27 with CertificateList
use of com.github.zhenwei.core.asn1.x509.CertificateList in project xipki by xipki.
the class CertStore method getCertsForDeltaCrl.
// method getRevokedCerts
public List<CertRevInfoWithSerial> getCertsForDeltaCrl(NameId ca, BigInteger baseCrlNumber, Date notExpiredAt) throws OperationException {
notNulls(ca, "ca", notExpiredAt, "notExpiredAt", baseCrlNumber, "baseCrlNumber");
// Get the Base FullCRL
byte[] encodedCrl = getEncodedCrl(ca, baseCrlNumber);
CertificateList crl = CertificateList.getInstance(encodedCrl);
// Get revoked certs in CRL
Enumeration<?> revokedCertsInCrl = crl.getRevokedCertificateEnumeration();
Set<BigInteger> allSnSet = null;
boolean supportInSql = datasource.getDatabaseType().supportsInArray();
List<BigInteger> snList = new LinkedList<>();
List<CertRevInfoWithSerial> ret = new LinkedList<>();
PreparedStatement ps = null;
try {
while (revokedCertsInCrl.hasMoreElements()) {
CRLEntry crlEntry = (CRLEntry) revokedCertsInCrl.nextElement();
if (allSnSet == null) {
// guess the size of revoked certificate, very rough
int averageSize = encodedCrl.length / crlEntry.getEncoded().length;
allSnSet = new HashSet<>((int) (1.1 * averageSize));
}
BigInteger sn = crlEntry.getUserCertificate().getPositiveValue();
snList.add(sn);
allSnSet.add(sn);
if (!supportInSql) {
continue;
}
if (snList.size() == 100) {
// due to the memory consumption do not use the executeQueryPreparedStament0() method.
if (ps == null) {
ps = prepareStatement(sqlSelectUnrevokedSn100);
}
for (int i = 1; i < 101; i++) {
ps.setString(i, snList.get(i - 1).toString(16));
}
snList.clear();
ResultSet rs = ps.executeQuery();
try {
while (rs.next()) {
ret.add(new CertRevInfoWithSerial(0L, new BigInteger(rs.getString("SN"), 16), // reason
CrlReason.REMOVE_FROM_CRL, // revocationTime,
new Date(100L * rs.getLong("LUPDATE")), // invalidityTime
null));
}
} finally {
datasource.releaseResources(null, rs);
}
}
}
} catch (SQLException ex) {
throw new OperationException(DATABASE_FAILURE, datasource.translate(sqlSelectUnrevokedSn100, ex).getMessage());
} catch (IOException ex) {
throw new OperationException(CRL_FAILURE, ex.getMessage());
} finally {
datasource.releaseResources(ps, null);
}
if (!snList.isEmpty()) {
// check whether revoked certificates have been unrevoked.
ps = prepareStatement(sqlSelectUnrevokedSn);
try {
for (BigInteger sn : snList) {
ps.setString(1, sn.toString(16));
ResultSet rs = ps.executeQuery();
try {
if (rs.next()) {
ret.add(new CertRevInfoWithSerial(0L, sn, CrlReason.REMOVE_FROM_CRL, // revocationTime,
new Date(100L * rs.getLong("LUPDATE")), // invalidityTime
null));
}
} finally {
datasource.releaseResources(null, rs);
}
}
} catch (SQLException ex) {
throw new OperationException(DATABASE_FAILURE, datasource.translate(sqlSelectUnrevokedSn, ex).getMessage());
} finally {
datasource.releaseResources(ps, null);
}
}
// get list of certificates revoked after the generation of Base FullCRL
// we check all revoked certificates with LUPDATE field (last update) > THISUPDATE - 1.
final int numEntries = 1000;
String coreSql = "ID,SN,RR,RT,RIT FROM CERT WHERE ID>? AND CA_ID=? AND REV=1 AND NAFTER>? AND LUPDATE>?";
String sql = datasource.buildSelectFirstSql(numEntries, "ID ASC", coreSql);
ps = prepareStatement(sql);
long startId = 1;
// -1: so that no entry is ignored: consider all revoked certificates with
// Database.lastUpdate >= CRL.thisUpdate
final long updatedSince = crl.getThisUpdate().getDate().getTime() / 1000 - 1;
try {
ResultSet rs;
while (true) {
ps.setLong(1, startId - 1);
ps.setInt(2, ca.getId());
ps.setLong(3, notExpiredAt.getTime() / 1000 + 1);
ps.setLong(4, updatedSince);
rs = ps.executeQuery();
try {
int num = 0;
while (rs.next()) {
num++;
long id = rs.getLong("ID");
if (id > startId) {
startId = id;
}
BigInteger sn = new BigInteger(rs.getString("SN"), 16);
if (allSnSet != null && allSnSet.contains(sn)) {
// already contained in CRL
continue;
}
long revInvalidityTime = rs.getLong("RIT");
Date invalidityTime = (revInvalidityTime == 0) ? null : new Date(1000 * revInvalidityTime);
CertRevInfoWithSerial revInfo = new CertRevInfoWithSerial(id, sn, rs.getInt("RR"), new Date(1000 * rs.getLong("RT")), invalidityTime);
ret.add(revInfo);
}
if (num < numEntries) {
// no more entries
break;
}
} finally {
datasource.releaseResources(null, rs);
}
}
} catch (SQLException ex) {
throw new OperationException(DATABASE_FAILURE, datasource.translate(sql, ex).getMessage());
} finally {
datasource.releaseResources(ps, null);
}
return ret;
}
Also used :
SQLException(java.sql.SQLException)
CertificateList(org.bouncycastle.asn1.x509.CertificateList)
PreparedStatement(java.sql.PreparedStatement)
CRLEntry(org.bouncycastle.asn1.x509.TBSCertList.CRLEntry)
IOException(java.io.IOException)
ResultSet(java.sql.ResultSet)
BigInteger(java.math.BigInteger)
OperationException(org.xipki.ca.api.OperationException)
Example 28 with CertificateList
use of com.github.zhenwei.core.asn1.x509.CertificateList in project signer by demoiselle.
the class RevocationValues method getValue.
@Override
public Attribute getValue() throws SignerException {
List<X509CRL> crlList = new ArrayList<X509CRL>();
ArrayList<CertificateList> crlVals = new ArrayList<CertificateList>();
List<BasicOCSPResponse> ocspVals = new ArrayList<BasicOCSPResponse>();
try {
int chainSize = certificates.length - 1;
for (int ix = 0; ix < chainSize; ix++) {
X509Certificate cert = (X509Certificate) certificates[ix];
Collection<ICPBR_CRL> icpCrls = crlRepository.getX509CRL(cert);
for (ICPBR_CRL icpCrl : icpCrls) {
crlList.add(icpCrl.getCRL());
}
}
if (crlList.isEmpty()) {
throw new SignerException(cadesMessagesBundle.getString("error.crl.list.empty"));
} else {
for (X509CRL varCrl : crlList) {
crlVals.add(CertificateList.getInstance(varCrl.getEncoded()));
}
}
CertificateList[] crlValuesArray = new CertificateList[crlVals.size()];
BasicOCSPResponse[] ocspValuesArray = new BasicOCSPResponse[ocspVals.size()];
// org.bouncycastle.asn1.esf.RevocationValues revocationVals = new org.bouncycastle.asn1.esf.RevocationValues(crlVals.toArray(crlValuesArray), null, null);
return new Attribute(identifier, new DERSet(new DERSequence(crlVals.toArray(crlValuesArray))));
} catch (Exception e) {
throw new SignerException(e.getMessage());
}
}
Also used :
X509CRL(java.security.cert.X509CRL)
UnsignedAttribute(org.demoiselle.signer.policy.impl.cades.pkcs7.attribute.UnsignedAttribute)
Attribute(org.bouncycastle.asn1.cms.Attribute)
ArrayList(java.util.ArrayList)
CertificateList(org.bouncycastle.asn1.x509.CertificateList)
DERSet(org.bouncycastle.asn1.DERSet)
X509Certificate(java.security.cert.X509Certificate)
SignerException(org.demoiselle.signer.policy.impl.cades.SignerException)
ICPBR_CRL(org.demoiselle.signer.core.extension.ICPBR_CRL)
DERSequence(org.bouncycastle.asn1.DERSequence)
BasicOCSPResponse(org.bouncycastle.asn1.ocsp.BasicOCSPResponse)
SignerException(org.demoiselle.signer.policy.impl.cades.SignerException)
Example 29 with CertificateList
use of com.github.zhenwei.core.asn1.x509.CertificateList in project pri-fidoiot by secure-device-onboard.
the class OnDieCertSignatureFunction method checkRevocations.
/**
* Checks for revocations.
*
* @param certificateList list of certificates containing revocations
* @return true if revocation check failed
*/
public boolean checkRevocations(Certificate[] certificateList) {
try {
OnDieCertificateManager certManager = Config.getWorker(OnDieCertificateManager.class);
CertificateFactory certificateFactory = CertificateFactory.getInstance(StandardCryptoService.X509_ALG_NAME);
for (Certificate cert : certificateList) {
X509Certificate x509cert = (X509Certificate) cert;
X509CertificateHolder certHolder = new X509CertificateHolder(x509cert.getEncoded());
CRLDistPoint cdp = CRLDistPoint.fromExtensions(certHolder.getExtensions());
if (cdp != null) {
DistributionPoint[] distPoints = cdp.getDistributionPoints();
for (DistributionPoint dp : distPoints) {
GeneralName[] generalNames = GeneralNames.getInstance(dp.getDistributionPoint().getName()).getNames();
for (GeneralName generalName : generalNames) {
String name = generalName.toString();
byte[] crlBytes = certManager.getCertificate(name.substring(name.indexOf("http")));
if (crlBytes == null) {
// + x509cert.getIssuerX500Principal().getName());
return false;
} else {
CRL crl = certificateFactory.generateCRL(new ByteArrayInputStream(crlBytes));
if (crl.isRevoked(cert)) {
return false;
}
}
}
}
}
}
} catch (IOException | CertificateException | CRLException ex) {
return false;
}
return true;
}
Also used :
CertificateException(java.security.cert.CertificateException)
IOException(java.io.IOException)
OnDieCertificateManager(org.fidoalliance.fdo.protocol.db.OnDieCertificateManager)
CertificateFactory(java.security.cert.CertificateFactory)
X509Certificate(java.security.cert.X509Certificate)
ByteArrayInputStream(java.io.ByteArrayInputStream)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
CRL(java.security.cert.CRL)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
CRLException(java.security.cert.CRLException)
X509Certificate(java.security.cert.X509Certificate)
Certificate(java.security.cert.Certificate)
Example 30 with CertificateList
use of com.github.zhenwei.core.asn1.x509.CertificateList in project LinLong-Java by zhenwei1108.
the class CertUtils method generateCRLStructure.
private static CertificateList generateCRLStructure(TBSCertList tbsCertList, AlgorithmIdentifier sigAlgId, byte[] signature) {
ASN1EncodableVector v = new ASN1EncodableVector();
v.add(tbsCertList);
v.add(sigAlgId);
v.add(new DERBitString(signature));
return CertificateList.getInstance(new DERSequence(v));
}
Also used :
DERSequence(com.github.zhenwei.core.asn1.DERSequence)
ASN1EncodableVector(com.github.zhenwei.core.asn1.ASN1EncodableVector)
DERBitString(com.github.zhenwei.core.asn1.DERBitString)
Aggregations
IOException (java.io.IOException)13
CertificateList (org.bouncycastle.asn1.x509.CertificateList)13
CRLException (java.security.cert.CRLException)10
Test (org.junit.jupiter.api.Test)8
CRL (java.security.cert.CRL)5
X509CRL (java.security.cert.X509CRL)5
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)5
X509CRLHolder (org.bouncycastle.cert.X509CRLHolder)5
OperationException (org.xipki.ca.api.OperationException)5
DefaultCertManagerClient (io.fabric8.certmanager.client.DefaultCertManagerClient)4
NamespacedCertManagerClient (io.fabric8.certmanager.client.NamespacedCertManagerClient)4
GeneralName (org.bouncycastle.asn1.x509.GeneralName)4
CertificateList (io.fabric8.certmanager.api.model.v1.CertificateList)3
CertificateList (io.fabric8.certmanager.api.model.v1alpha2.CertificateList)3
CertificateList (io.fabric8.certmanager.api.model.v1alpha3.CertificateList)3
ByteArrayInputStream (java.io.ByteArrayInputStream)3
BigInteger (java.math.BigInteger)3
CertificateException (java.security.cert.CertificateException)3
X509Certificate (java.security.cert.X509Certificate)3
CertificateList (com.beanit.asn1bean.compiler.pkix1explicit88.CertificateList)2
