use of com.github.zhenwei.core.asn1.x509.Extension in project LinLong-Java by zhenwei1108.
the class RevocationUtilities method getDeltaCRLs.
/**
* Fetches delta CRLs according to RFC 3280 section 5.2.4.
*
* @param validityDate The date for which the delta CRLs must be valid.
* @param completeCRL The complete CRL the delta CRL is for.
* @return A <code>Set</code> of <code>X509CRL</code>s with delta CRLs.
* @throws AnnotatedException if an exception occurs while picking the delta CRLs.
*/
protected static Set getDeltaCRLs(Date validityDate, X509CRL completeCRL, List<CertStore> certStores, List<PKIXCRLStore> pkixCrlStores) throws AnnotatedException {
X509CRLSelector baseDeltaSelect = new X509CRLSelector();
// 5.2.4 (a)
try {
baseDeltaSelect.addIssuerName(completeCRL.getIssuerX500Principal().getEncoded());
} catch (IOException e) {
throw new AnnotatedException("cannot extract issuer from CRL.", e);
}
BigInteger completeCRLNumber = null;
try {
ASN1Primitive derObject = RevocationUtilities.getExtensionValue(completeCRL, Extension.cRLNumber);
if (derObject != null) {
completeCRLNumber = ASN1Integer.getInstance(derObject).getPositiveValue();
}
} catch (Exception e) {
throw new AnnotatedException("cannot extract CRL number extension from CRL", e);
}
// 5.2.4 (b)
byte[] idp;
try {
idp = completeCRL.getExtensionValue(ISSUING_DISTRIBUTION_POINT);
} catch (Exception e) {
throw new AnnotatedException("issuing distribution point extension value could not be read", e);
}
// 5.2.4 (d)
baseDeltaSelect.setMinCRLNumber(completeCRLNumber == null ? null : completeCRLNumber.add(BigInteger.valueOf(1)));
PKIXCRLStoreSelector.Builder selBuilder = new PKIXCRLStoreSelector.Builder(baseDeltaSelect);
selBuilder.setIssuingDistributionPoint(idp);
selBuilder.setIssuingDistributionPointEnabled(true);
// 5.2.4 (c)
selBuilder.setMaxBaseCRLNumber(completeCRLNumber);
PKIXCRLStoreSelector deltaSelect = selBuilder.build();
// find delta CRLs
Set temp = PKIXCRLUtil.findCRLs(deltaSelect, validityDate, certStores, pkixCrlStores);
Set result = new HashSet();
for (Iterator it = temp.iterator(); it.hasNext(); ) {
X509CRL crl = (X509CRL) it.next();
if (isDeltaCRL(crl)) {
result.add(crl);
}
}
return result;
}
use of com.github.zhenwei.core.asn1.x509.Extension in project LinLong-Java by zhenwei1108.
the class RevocationUtilities method getCertStatus.
protected static void getCertStatus(Date validDate, X509CRL crl, Object cert, CertStatus certStatus) throws AnnotatedException {
boolean isIndirect;
try {
isIndirect = isIndirectCRL(crl);
} catch (CRLException exception) {
throw new AnnotatedException("Failed check for indirect CRL.", exception);
}
X509Certificate x509Cert = (X509Certificate) cert;
X500Name x509CertIssuer = getIssuer(x509Cert);
if (!isIndirect) {
X500Name crlIssuer = getIssuer(crl);
if (!x509CertIssuer.equals(crlIssuer)) {
return;
}
}
X509CRLEntry crl_entry = crl.getRevokedCertificate(x509Cert.getSerialNumber());
if (null == crl_entry) {
return;
}
if (isIndirect) {
X500Principal certificateIssuer = crl_entry.getCertificateIssuer();
X500Name expectedCertIssuer;
if (null == certificateIssuer) {
expectedCertIssuer = getIssuer(crl);
} else {
expectedCertIssuer = getX500Name(certificateIssuer);
}
if (!x509CertIssuer.equals(expectedCertIssuer)) {
return;
}
}
int reasonCodeValue = CRLReason.unspecified;
if (crl_entry.hasExtensions()) {
try {
ASN1Primitive extValue = RevocationUtilities.getExtensionValue(crl_entry, Extension.reasonCode);
ASN1Enumerated reasonCode = ASN1Enumerated.getInstance(extValue);
if (null != reasonCode) {
reasonCodeValue = reasonCode.intValueExact();
}
} catch (Exception e) {
throw new AnnotatedException("Reason code CRL entry extension could not be decoded.", e);
}
}
Date revocationDate = crl_entry.getRevocationDate();
if (validDate.before(revocationDate)) {
switch(reasonCodeValue) {
case CRLReason.unspecified:
case CRLReason.keyCompromise:
case CRLReason.cACompromise:
case CRLReason.aACompromise:
break;
default:
return;
}
}
// (i) or (j)
certStatus.setCertStatus(reasonCodeValue);
certStatus.setRevocationDate(revocationDate);
}
use of com.github.zhenwei.core.asn1.x509.Extension in project LinLong-Java by zhenwei1108.
the class JceITSPublicEncryptionKey method getKey.
public PublicKey getKey() {
BasePublicEncryptionKey baseKey = encryptionKey.getBasePublicEncryptionKey();
X9ECParameters params;
switch(baseKey.getChoice()) {
case BasePublicEncryptionKey.eciesNistP256:
params = NISTNamedCurves.getByOID(SECObjectIdentifiers.secp256r1);
break;
case BasePublicEncryptionKey.eciesBrainpoolP256r1:
params = TeleTrusTNamedCurves.getByOID(TeleTrusTObjectIdentifiers.brainpoolP256r1);
break;
default:
throw new IllegalStateException("unknown key type");
}
ASN1Encodable pviCurvePoint = encryptionKey.getBasePublicEncryptionKey().getValue();
final EccCurvePoint itsPoint;
if (pviCurvePoint instanceof EccCurvePoint) {
itsPoint = (EccCurvePoint) baseKey.getValue();
} else {
throw new IllegalStateException("extension to public verification key not supported");
}
ECCurve curve = params.getCurve();
byte[] key;
if (itsPoint instanceof EccP256CurvePoint) {
key = itsPoint.getEncodedPoint();
} else if (itsPoint instanceof EccP384CurvePoint) {
key = itsPoint.getEncodedPoint();
} else {
throw new IllegalStateException("unknown key type");
}
ECPoint point = curve.decodePoint(key).normalize();
try {
KeyFactory keyFactory = helper.createKeyFactory("EC");
ECParameterSpec spec = EC5Util.convertToSpec(params);
java.security.spec.ECPoint jPoint = EC5Util.convertPoint(point);
return keyFactory.generatePublic(new ECPublicKeySpec(jPoint, spec));
} catch (Exception e) {
throw new IllegalStateException(e.getMessage(), e);
}
}
use of com.github.zhenwei.core.asn1.x509.Extension in project LinLong-Java by zhenwei1108.
the class RFC3280CertPathUtilities method processCRLB1.
/**
* If the DP includes cRLIssuer, then verify that the issuer field in the complete CRL matches
* cRLIssuer in the DP and that the complete CRL contains an issuing distribution point extension
* with the indirectCRL boolean asserted. Otherwise, verify that the CRL issuer matches the
* certificate issuer.
*
* @param dp The distribution point.
* @param cert The certificate ot attribute certificate.
* @param crl The CRL for <code>cert</code>.
* @throws AnnotatedException if one of the above conditions does not apply or an error occurs.
*/
protected static void processCRLB1(DistributionPoint dp, Object cert, X509CRL crl) throws AnnotatedException {
ASN1Primitive idp = RevocationUtilities.getExtensionValue(crl, Extension.issuingDistributionPoint);
boolean isIndirect = false;
if (idp != null) {
if (IssuingDistributionPoint.getInstance(idp).isIndirectCRL()) {
isIndirect = true;
}
}
byte[] issuerBytes;
issuerBytes = crl.getIssuerX500Principal().getEncoded();
boolean matchIssuer = false;
if (dp.getCRLIssuer() != null) {
GeneralName[] genNames = dp.getCRLIssuer().getNames();
for (int j = 0; j < genNames.length; j++) {
if (genNames[j].getTagNo() == GeneralName.directoryName) {
try {
if (Arrays.areEqual(genNames[j].getName().toASN1Primitive().getEncoded(), issuerBytes)) {
matchIssuer = true;
}
} catch (IOException e) {
throw new AnnotatedException("CRL issuer information from distribution point cannot be decoded.", e);
}
}
}
if (matchIssuer && !isIndirect) {
throw new AnnotatedException("Distribution point contains cRLIssuer field but CRL is not indirect.");
}
if (!matchIssuer) {
throw new AnnotatedException("CRL issuer of CRL does not match CRL issuer of distribution point.");
}
} else {
if (crl.getIssuerX500Principal().equals(((X509Certificate) cert).getIssuerX500Principal())) {
matchIssuer = true;
}
}
if (!matchIssuer) {
throw new AnnotatedException("Cannot find matching CRL issuer for certificate.");
}
}
use of com.github.zhenwei.core.asn1.x509.Extension in project LinLong-Java by zhenwei1108.
the class BcITSPublicVerificationKey method getKey.
public AsymmetricKeyParameter getKey() {
X9ECParameters params;
ASN1ObjectIdentifier curveID;
switch(verificationKey.getChoice()) {
case PublicVerificationKey.ecdsaNistP256:
curveID = SECObjectIdentifiers.secp256r1;
params = NISTNamedCurves.getByOID(SECObjectIdentifiers.secp256r1);
break;
case PublicVerificationKey.ecdsaBrainpoolP256r1:
curveID = TeleTrusTObjectIdentifiers.brainpoolP256r1;
params = TeleTrusTNamedCurves.getByOID(TeleTrusTObjectIdentifiers.brainpoolP256r1);
break;
case PublicVerificationKey.ecdsaBrainpoolP384r1:
curveID = TeleTrusTObjectIdentifiers.brainpoolP384r1;
params = TeleTrusTNamedCurves.getByOID(TeleTrusTObjectIdentifiers.brainpoolP384r1);
break;
default:
throw new IllegalStateException("unknown key type");
}
ECCurve curve = params.getCurve();
ASN1Encodable pviCurvePoint = verificationKey.getCurvePoint();
final EccCurvePoint itsPoint;
if (pviCurvePoint instanceof EccCurvePoint) {
itsPoint = (EccCurvePoint) verificationKey.getCurvePoint();
} else {
throw new IllegalStateException("extension to public verification key not supported");
}
byte[] key;
if (itsPoint instanceof EccP256CurvePoint) {
key = itsPoint.getEncodedPoint();
} else if (itsPoint instanceof EccP384CurvePoint) {
key = itsPoint.getEncodedPoint();
} else {
throw new IllegalStateException("unknown key type");
}
ECPoint point = curve.decodePoint(key).normalize();
return new ECPublicKeyParameters(point, new ECNamedDomainParameters(curveID, params));
}
Aggregations