Examples with DistributionPoint com.github.zhenwei.core.asn1.x509.DistributionPoint used on opensource projects

Search in sources :

Example 1 with DistributionPoint

use of com.github.zhenwei.core.asn1.x509.DistributionPoint in project supply-chain-tools by secure-device-onboard.

the class OnDieSignatureValidator method checkRevocations.

private boolean checkRevocations(List<Certificate> certificateList) {
    // Check revocations first.
    try {
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X509");
        for (Certificate cert : certificateList) {
            X509Certificate x509cert = (X509Certificate) cert;
            X509CertificateHolder certHolder = new X509CertificateHolder(x509cert.getEncoded());
            CRLDistPoint cdp = CRLDistPoint.fromExtensions(certHolder.getExtensions());
            if (cdp != null) {
                DistributionPoint[] distPoints = cdp.getDistributionPoints();
                for (DistributionPoint dp : distPoints) {
                    GeneralName[] generalNames = GeneralNames.getInstance(dp.getDistributionPoint().getName()).getNames();
                    for (GeneralName generalName : generalNames) {
                        byte[] crlBytes = onDieCache.getCertOrCrl(generalName.toString());
                        if (crlBytes == null) {
                            LoggerFactory.getLogger(getClass()).error("CRL ({}) not found in cache for cert: {}", generalName.getName().toString(), x509cert.getIssuerX500Principal().getName());
                            return false;
                        } else {
                            CRL crl = certificateFactory.generateCRL(new ByteArrayInputStream(crlBytes));
                            if (crl.isRevoked(cert)) {
                                return false;
                            }
                        }
                    }
                }
            }
        }
    } catch (IOException | CertificateException | CRLException ex) {
        return false;
    }
    return true;
}
Also used : CertificateException(java.security.cert.CertificateException) IOException(java.io.IOException) CertificateFactory(java.security.cert.CertificateFactory) X509Certificate(java.security.cert.X509Certificate) ByteArrayInputStream(java.io.ByteArrayInputStream) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) GeneralName(org.bouncycastle.asn1.x509.GeneralName) CRL(java.security.cert.CRL) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) CRLException(java.security.cert.CRLException) X509Certificate(java.security.cert.X509Certificate) Certificate(java.security.cert.Certificate)

Example 2 with DistributionPoint

use of com.github.zhenwei.core.asn1.x509.DistributionPoint in project documentproduction by qld-gov-au.

the class CRLVerifier method getCrlDistributionPoints.

/**
 * Extracts all CRL distribution point URLs from the "CRL Distribution
 * Point" extension in a X.509 certificate. If CRL distribution point
 * extension is unavailable, returns an empty list.
 * @param cert
 * @return List of CRL distribution point URLs.
 * @throws java.io.IOException
 */
public static List<String> getCrlDistributionPoints(X509Certificate cert) throws IOException {
    byte[] crldpExt = cert.getExtensionValue(Extension.cRLDistributionPoints.getId());
    if (crldpExt == null) {
        return new ArrayList<String>();
    }
    ASN1InputStream oAsnInStream = new ASN1InputStream(new ByteArrayInputStream(crldpExt));
    ASN1Primitive derObjCrlDP = oAsnInStream.readObject();
    ASN1OctetString dosCrlDP = (ASN1OctetString) derObjCrlDP;
    byte[] crldpExtOctets = dosCrlDP.getOctets();
    ASN1InputStream oAsnInStream2 = new ASN1InputStream(new ByteArrayInputStream(crldpExtOctets));
    ASN1Primitive derObj2 = oAsnInStream2.readObject();
    CRLDistPoint distPoint = CRLDistPoint.getInstance(derObj2);
    List<String> crlUrls = new ArrayList<String>();
    for (DistributionPoint dp : distPoint.getDistributionPoints()) {
        DistributionPointName dpn = dp.getDistributionPoint();
        // Look for URIs in fullName
        if (dpn != null && dpn.getType() == DistributionPointName.FULL_NAME) {
            // Look for an URI
            for (GeneralName genName : GeneralNames.getInstance(dpn.getName()).getNames()) {
                if (genName.getTagNo() == GeneralName.uniformResourceIdentifier) {
                    String url = DERIA5String.getInstance(genName.getName()).getString();
                    crlUrls.add(url);
                }
            }
        }
    }
    return crlUrls;
}
Also used : ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) ASN1InputStream(org.bouncycastle.asn1.ASN1InputStream) ByteArrayInputStream(java.io.ByteArrayInputStream) ArrayList(java.util.ArrayList) DistributionPointName(org.bouncycastle.asn1.x509.DistributionPointName) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DERIA5String(org.bouncycastle.asn1.DERIA5String) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) GeneralName(org.bouncycastle.asn1.x509.GeneralName) ASN1Primitive(org.bouncycastle.asn1.ASN1Primitive) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)

Example 3 with DistributionPoint

use of com.github.zhenwei.core.asn1.x509.DistributionPoint in project pdf-sign-check by spapas.

the class CRLVerifier method getCrlDistributionPoints.

/**
 * Extracts all CRL distribution point URLs from the "CRL Distribution
 * Point" extension in a X.509 certificate. If CRL distribution point
 * extension is unavailable, returns an empty list.
 * @param cert
 * @return List of CRL distribution point URLs.
 * @throws java.io.IOException
 */
public static List<String> getCrlDistributionPoints(X509Certificate cert) throws IOException {
    byte[] crldpExt = cert.getExtensionValue(Extension.cRLDistributionPoints.getId());
    if (crldpExt == null) {
        return new ArrayList<>();
    }
    ASN1Primitive derObjCrlDP;
    try (ASN1InputStream oAsnInStream = new ASN1InputStream(crldpExt)) {
        derObjCrlDP = oAsnInStream.readObject();
    }
    if (!(derObjCrlDP instanceof ASN1OctetString)) {
        LOG.warn("CRL distribution points for certificate subject " + cert.getSubjectX500Principal().getName() + " should be an octet string, but is " + derObjCrlDP);
        return new ArrayList<>();
    }
    ASN1OctetString dosCrlDP = (ASN1OctetString) derObjCrlDP;
    byte[] crldpExtOctets = dosCrlDP.getOctets();
    ASN1Primitive derObj2;
    try (ASN1InputStream oAsnInStream2 = new ASN1InputStream(crldpExtOctets)) {
        derObj2 = oAsnInStream2.readObject();
    }
    CRLDistPoint distPoint = CRLDistPoint.getInstance(derObj2);
    List<String> crlUrls = new ArrayList<>();
    for (DistributionPoint dp : distPoint.getDistributionPoints()) {
        DistributionPointName dpn = dp.getDistributionPoint();
        // Look for URIs in fullName
        if (dpn != null && dpn.getType() == DistributionPointName.FULL_NAME) {
            // Look for an URI
            for (GeneralName genName : GeneralNames.getInstance(dpn.getName()).getNames()) {
                if (genName.getTagNo() == GeneralName.uniformResourceIdentifier) {
                    String url = ASN1IA5String.getInstance(genName.getName()).getString();
                    crlUrls.add(url);
                }
            }
        }
    }
    return crlUrls;
}
Also used : ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) ASN1InputStream(org.bouncycastle.asn1.ASN1InputStream) ArrayList(java.util.ArrayList) DistributionPointName(org.bouncycastle.asn1.x509.DistributionPointName) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) ASN1IA5String(org.bouncycastle.asn1.ASN1IA5String) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) GeneralName(org.bouncycastle.asn1.x509.GeneralName) ASN1Primitive(org.bouncycastle.asn1.ASN1Primitive) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)

Example 4 with DistributionPoint

use of com.github.zhenwei.core.asn1.x509.DistributionPoint in project oxAuth by GluuFederation.

the class CRLCertificateVerifier method getCrlUri.

public String getCrlUri(X509Certificate certificate) throws IOException {
    ASN1Primitive obj;
    try {
        obj = getExtensionValue(certificate, Extension.cRLDistributionPoints.getId());
    } catch (IOException ex) {
        log.error("Failed to get CRL URL", ex);
        return null;
    }
    if (obj == null) {
        return null;
    }
    CRLDistPoint distPoint = CRLDistPoint.getInstance(obj);
    DistributionPoint[] distributionPoints = distPoint.getDistributionPoints();
    for (DistributionPoint distributionPoint : distributionPoints) {
        DistributionPointName distributionPointName = distributionPoint.getDistributionPoint();
        if (DistributionPointName.FULL_NAME != distributionPointName.getType()) {
            continue;
        }
        GeneralNames generalNames = (GeneralNames) distributionPointName.getName();
        GeneralName[] names = generalNames.getNames();
        for (GeneralName name : names) {
            if (name.getTagNo() != GeneralName.uniformResourceIdentifier) {
                continue;
            }
            DERIA5String derStr = DERIA5String.getInstance((ASN1TaggedObject) name.toASN1Primitive(), false);
            return derStr.getString();
        }
    }
    return null;
}
Also used : DERIA5String(org.bouncycastle.asn1.DERIA5String) GeneralNames(org.bouncycastle.asn1.x509.GeneralNames) DistributionPointName(org.bouncycastle.asn1.x509.DistributionPointName) IOException(java.io.IOException) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) GeneralName(org.bouncycastle.asn1.x509.GeneralName) ASN1Primitive(org.bouncycastle.asn1.ASN1Primitive) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)

Example 5 with DistributionPoint

use of com.github.zhenwei.core.asn1.x509.DistributionPoint in project cas by apereo.

the class CRLDistributionPointRevocationChecker method getDistributionPoints.

/**
 * Gets the distribution points.
 *
 * @param cert the cert
 * @return the url distribution points
 */
private static URI[] getDistributionPoints(final X509Certificate cert) {
    try {
        val points = new ExtensionReader(cert).readCRLDistributionPoints();
        val urls = new ArrayList<URI>(points == null ? 0 : points.size());
        if (points != null) {
            points.stream().map(DistributionPoint::getDistributionPoint).filter(Objects::nonNull).forEach(pointName -> {
                val nameSequence = ASN1Sequence.getInstance(pointName.getName());
                IntStream.range(0, nameSequence.size()).mapToObj(i -> GeneralName.getInstance(nameSequence.getObjectAt(i))).forEach(name -> {
                    LOGGER.debug("Found CRL distribution point [{}].", name);
                    try {
                        addURL(urls, DERIA5String.getInstance(name.getName()).getString());
                    } catch (final Exception e) {
                        LOGGER.warn("[{}] not supported: [{}].", pointName, e.getMessage());
                    }
                });
            });
        }
        return urls.toArray(URI[]::new);
    } catch (final Exception e) {
        LOGGER.debug("Error reading CRLDistributionPoints extension field on [{}]", CertUtils.toString(cert));
        LoggingUtils.error(LOGGER, e);
        return new URI[0];
    }
}
Also used : lombok.val(lombok.val) X509Certificate(java.security.cert.X509Certificate) IntStream(java.util.stream.IntStream) RevocationPolicy(org.apereo.cas.adaptors.x509.authentication.revocation.policy.RevocationPolicy) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) URLDecoder(java.net.URLDecoder) URL(java.net.URL) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) X509CRL(java.security.cert.X509CRL) ByteArrayResource(org.springframework.core.io.ByteArrayResource) UserManagedCache(org.ehcache.UserManagedCache) ArrayList(java.util.ArrayList) LoggingUtils(org.apereo.cas.util.LoggingUtils) FunctionUtils(org.apereo.cas.util.function.FunctionUtils) CollectionUtils(org.apereo.cas.util.CollectionUtils) URI(java.net.URI) Status(org.ehcache.Status) DERIA5String(org.bouncycastle.asn1.DERIA5String) CRLFetcher(org.apereo.cas.adaptors.x509.authentication.CRLFetcher) MalformedURLException(java.net.MalformedURLException) lombok.val(lombok.val) StandardCharsets(java.nio.charset.StandardCharsets) CertUtils(org.apereo.cas.util.crypto.CertUtils) ExtensionReader(org.cryptacular.x509.ExtensionReader) Objects(java.util.Objects) Slf4j(lombok.extern.slf4j.Slf4j) GeneralName(org.bouncycastle.asn1.x509.GeneralName) List(java.util.List) DisposableBean(org.springframework.beans.factory.DisposableBean) ResourceCRLFetcher(org.apereo.cas.adaptors.x509.authentication.ResourceCRLFetcher) ArrayList(java.util.ArrayList) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) MalformedURLException(java.net.MalformedURLException) ExtensionReader(org.cryptacular.x509.ExtensionReader)

Aggregations

DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)44 CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)39 GeneralName (org.bouncycastle.asn1.x509.GeneralName)37 IOException (java.io.IOException)35 DistributionPointName (org.bouncycastle.asn1.x509.DistributionPointName)29 ArrayList (java.util.ArrayList)25 DERIA5String (org.bouncycastle.asn1.DERIA5String)18 GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)18 CertPathValidatorException (java.security.cert.CertPathValidatorException)16 CRLDistPoint (com.github.zhenwei.core.asn1.x509.CRLDistPoint)15 DistributionPoint (com.github.zhenwei.core.asn1.x509.DistributionPoint)15 GeneralName (com.github.zhenwei.core.asn1.x509.GeneralName)15 GeneralSecurityException (java.security.GeneralSecurityException)14 List (java.util.List)13 ASN1Primitive (org.bouncycastle.asn1.ASN1Primitive)12 DistributionPointName (com.github.zhenwei.core.asn1.x509.DistributionPointName)11 ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)11 CertPathBuilderException (java.security.cert.CertPathBuilderException)10 DEROctetString (org.bouncycastle.asn1.DEROctetString)10 IssuingDistributionPoint (org.bouncycastle.asn1.x509.IssuingDistributionPoint)10
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial