Examples with X509CRLHolder com.github.zhenwei.pkix.cert.X509CRLHolder used on opensource projects

Example 1 with X509CRLHolder

use of com.github.zhenwei.pkix.cert.X509CRLHolder in project LinLong-Java by zhenwei1108.

the class CRLValidation method validate.

public void validate(CertPathValidationContext context, X509CertificateHolder certificate) throws CertPathValidationException {
    // TODO: add handling of delta CRLs
    Collection matches = crls.getMatches(new Selector() {

        public boolean match(Object obj) {
            X509CRLHolder crl = (X509CRLHolder) obj;
            return (crl.getIssuer().equals(workingIssuerName));
        }

        public Object clone() {
            return this;
        }
    });
    if (matches.isEmpty()) {
        throw new CertPathValidationException("CRL for " + workingIssuerName + " not found");
    }
    for (Iterator it = matches.iterator(); it.hasNext(); ) {
        X509CRLHolder crl = (X509CRLHolder) it.next();
        // TODO: not quite right!
        if (crl.getRevokedCertificate(certificate.getSerialNumber()) != null) {
            throw new CertPathValidationException("Certificate revoked");
        }
    }
    this.workingIssuerName = certificate.getSubject();
}

Example 2 with X509CRLHolder

use of com.github.zhenwei.pkix.cert.X509CRLHolder in project LinLong-Java by zhenwei1108.

the class MiscPEMGenerator method createPemObject.

private PemObject createPemObject(Object o) throws IOException {
    String type;
    byte[] encoding;
    if (o instanceof PemObject) {
        return (PemObject) o;
    }
    if (o instanceof PemObjectGenerator) {
        return ((PemObjectGenerator) o).generate();
    }
    if (o instanceof X509CertificateHolder) {
        type = "CERTIFICATE";
        encoding = ((X509CertificateHolder) o).getEncoded();
    } else if (o instanceof X509CRLHolder) {
        type = "X509 CRL";
        encoding = ((X509CRLHolder) o).getEncoded();
    } else if (o instanceof X509TrustedCertificateBlock) {
        type = "TRUSTED CERTIFICATE";
        encoding = ((X509TrustedCertificateBlock) o).getEncoded();
    } else if (o instanceof PrivateKeyInfo) {
        PrivateKeyInfo info = (PrivateKeyInfo) o;
        ASN1ObjectIdentifier algOID = info.getPrivateKeyAlgorithm().getAlgorithm();
        if (algOID.equals(PKCSObjectIdentifiers.rsaEncryption)) {
            type = "RSA PRIVATE KEY";
            encoding = info.parsePrivateKey().toASN1Primitive().getEncoded();
        } else if (algOID.equals(dsaOids[0]) || algOID.equals(dsaOids[1])) {
            type = "DSA PRIVATE KEY";
            DSAParameter p = DSAParameter.getInstance(info.getPrivateKeyAlgorithm().getParameters());
            ASN1EncodableVector v = new ASN1EncodableVector();
            v.add(new ASN1Integer(0));
            v.add(new ASN1Integer(p.getP()));
            v.add(new ASN1Integer(p.getQ()));
            v.add(new ASN1Integer(p.getG()));
            BigInteger x = ASN1Integer.getInstance(info.parsePrivateKey()).getValue();
            BigInteger y = p.getG().modPow(x, p.getP());
            v.add(new ASN1Integer(y));
            v.add(new ASN1Integer(x));
            encoding = new DERSequence(v).getEncoded();
        } else if (algOID.equals(X9ObjectIdentifiers.id_ecPublicKey)) {
            type = "EC PRIVATE KEY";
            encoding = info.parsePrivateKey().toASN1Primitive().getEncoded();
        } else {
            type = "PRIVATE KEY";
            encoding = info.getEncoded();
        }
    } else if (o instanceof SubjectPublicKeyInfo) {
        type = "PUBLIC KEY";
        encoding = ((SubjectPublicKeyInfo) o).getEncoded();
    } else if (o instanceof X509AttributeCertificateHolder) {
        type = "ATTRIBUTE CERTIFICATE";
        encoding = ((X509AttributeCertificateHolder) o).getEncoded();
    } else if (o instanceof com.github.zhenwei.pkix.pkcs.PKCS10CertificationRequest) {
        type = "CERTIFICATE REQUEST";
        encoding = ((PKCS10CertificationRequest) o).getEncoded();
    } else if (o instanceof PKCS8EncryptedPrivateKeyInfo) {
        type = "ENCRYPTED PRIVATE KEY";
        encoding = ((PKCS8EncryptedPrivateKeyInfo) o).getEncoded();
    } else if (o instanceof ContentInfo) {
        type = "PKCS7";
        encoding = ((ContentInfo) o).getEncoded();
    } else {
        throw new PemGenerationException("unknown object passed - can't encode.");
    }
    if (encryptor != null) {
        String dekAlgName = Strings.toUpperCase(encryptor.getAlgorithm());
        // Note: For backward compatibility
        if (dekAlgName.equals("DESEDE")) {
            dekAlgName = "DES-EDE3-CBC";
        }
        byte[] iv = encryptor.getIV();
        byte[] encData = encryptor.encrypt(encoding);
        List headers = new ArrayList(2);
        headers.add(new PemHeader("Proc-Type", "4,ENCRYPTED"));
        headers.add(new PemHeader("DEK-Info", dekAlgName + "," + getHexEncoded(iv)));
        return new PemObject(type, headers, encData);
    }
    return new PemObject(type, encoding);
}

Example 3 with X509CRLHolder

use of com.github.zhenwei.pkix.cert.X509CRLHolder in project LinLong-Java by zhenwei1108.

the class ESTService method getCACerts.

/**
 * Query the EST server for ca certificates.
 * <p>
 * RFC7030 leans heavily on the verification phases of TLS for both client and server
 * verification.
 * <p>
 * It does however define a bootstrapping mode where if the client does not have the necessary ca
 * certificates to validate the server it can defer to an external source, such as a human, to
 * formally accept the ca certs.
 * <p>
 * If callers are using bootstrapping they must examine the CACertsResponse and validate it
 * externally.
 *
 * @return A store of X509Certificates.
 */
public CACertsResponse getCACerts() throws ESTException {
    ESTResponse resp = null;
    Exception finalThrowable = null;
    CACertsResponse caCertsResponse = null;
    URL url = null;
    boolean failedBeforeClose = false;
    try {
        url = new URL(server + CACERTS);
        ESTClient client = clientProvider.makeClient();
        ESTRequest req = new ESTRequestBuilder("GET", url).withClient(client).build();
        resp = client.doRequest(req);
        Store<X509CertificateHolder> caCerts = null;
        Store<X509CRLHolder> crlHolderStore = null;
        if (resp.getStatusCode() == 200) {
            String contentType = resp.getHeaders().getFirstValue("Content-Type");
            if (contentType == null || !contentType.startsWith("application/pkcs7-mime")) {
                String j = contentType != null ? " got " + contentType : " but was not present.";
                throw new ESTException(("Response : " + url.toString() + "Expecting application/pkcs7-mime ") + j, null, resp.getStatusCode(), resp.getInputStream());
            }
            try {
                if (resp.getContentLength() != null && resp.getContentLength() > 0) {
                    ASN1InputStream ain = new ASN1InputStream(resp.getInputStream());
                    SimplePKIResponse spkr = new SimplePKIResponse(ContentInfo.getInstance((ASN1Sequence) ain.readObject()));
                    caCerts = spkr.getCertificates();
                    crlHolderStore = spkr.getCRLs();
                }
            } catch (Throwable ex) {
                throw new ESTException("Decoding CACerts: " + url.toString() + " " + ex.getMessage(), ex, resp.getStatusCode(), resp.getInputStream());
            }
        } else if (// 204 are No Content
        resp.getStatusCode() != 204) {
            throw new ESTException("Get CACerts: " + url.toString(), null, resp.getStatusCode(), resp.getInputStream());
        }
        caCertsResponse = new CACertsResponse(caCerts, crlHolderStore, req, resp.getSource(), clientProvider.isTrusted());
    } catch (Throwable t) {
        failedBeforeClose = true;
        if (t instanceof ESTException) {
            throw (ESTException) t;
        } else {
            throw new ESTException(t.getMessage(), t);
        }
    } finally {
        if (resp != null) {
            try {
                resp.close();
            } catch (Exception t) {
                finalThrowable = t;
            }
        }
    }
    if (finalThrowable != null) {
        if (finalThrowable instanceof ESTException) {
            throw (ESTException) finalThrowable;
        }
        throw new ESTException("Get CACerts: " + url.toString(), finalThrowable, resp.getStatusCode(), null);
    }
    return caCertsResponse;
}

Example 4 with X509CRLHolder

use of com.github.zhenwei.pkix.cert.X509CRLHolder in project LinLong-Java by zhenwei1108.

the class CMSUtils method getCRLsFromStore.

static List getCRLsFromStore(Store crlStore) throws CMSException {
    List crls = new ArrayList();
    try {
        for (Iterator it = crlStore.getMatches(null).iterator(); it.hasNext(); ) {
            Object rev = it.next();
            if (rev instanceof X509CRLHolder) {
                X509CRLHolder c = (X509CRLHolder) rev;
                crls.add(c.toASN1Structure());
            } else if (rev instanceof OtherRevocationInfoFormat) {
                OtherRevocationInfoFormat infoFormat = OtherRevocationInfoFormat.getInstance(rev);
                validateInfoFormat(infoFormat);
                crls.add(new DERTaggedObject(false, 1, infoFormat));
            } else if (rev instanceof ASN1TaggedObject) {
                crls.add(rev);
            }
        }
        return crls;
    } catch (ClassCastException e) {
        throw new CMSException("error processing certs", e);
    }
}