Example 1 with PKIXCRLStoreSelector
use of com.github.zhenwei.provider.jcajce.PKIXCRLStoreSelector in project LinLong-Java by zhenwei1108.
the class RevocationUtilities method getCompleteCRLs.
/**
* Fetches complete CRLs according to RFC 3280.
*
* @param dp The distribution point for which the complete CRL
* @param cert The <code>X509Certificate</code> for which the CRL should be searched.
* @return A <code>Set</code> of <code>X509CRL</code>s with complete CRLs.
* @throws AnnotatedException if an exception occurs while picking the CRLs or no CRLs are found.
*/
protected static Set getCompleteCRLs(DistributionPoint dp, Object cert, Date validityDate, List certStores, List crlStores) throws AnnotatedException, CRLNotFoundException {
X509CRLSelector baseCrlSelect = new X509CRLSelector();
try {
Set issuers = new HashSet();
issuers.add(getIssuer((X509Certificate) cert));
RevocationUtilities.getCRLIssuersFromDistributionPoint(dp, issuers, baseCrlSelect);
} catch (AnnotatedException e) {
throw new AnnotatedException("Could not get issuer information from distribution point.", e);
}
if (cert instanceof X509Certificate) {
baseCrlSelect.setCertificateChecking((X509Certificate) cert);
}
PKIXCRLStoreSelector crlSelect = new PKIXCRLStoreSelector.Builder(baseCrlSelect).setCompleteCRLEnabled(true).build();
Set crls = PKIXCRLUtil.findCRLs(crlSelect, validityDate, certStores, crlStores);
checkCRLsNotEmpty(crls, cert);
return crls;
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
LinkedHashSet(java.util.LinkedHashSet)
PKIXCRLStoreSelector(com.github.zhenwei.provider.jcajce.PKIXCRLStoreSelector)
X509CRLSelector(java.security.cert.X509CRLSelector)
X509Certificate(java.security.cert.X509Certificate)
HashSet(java.util.HashSet)
LinkedHashSet(java.util.LinkedHashSet)
Example 2 with PKIXCRLStoreSelector
use of com.github.zhenwei.provider.jcajce.PKIXCRLStoreSelector in project LinLong-Java by zhenwei1108.
the class RevocationUtilities method getDeltaCRLs.
/**
* Fetches delta CRLs according to RFC 3280 section 5.2.4.
*
* @param validityDate The date for which the delta CRLs must be valid.
* @param completeCRL The complete CRL the delta CRL is for.
* @return A <code>Set</code> of <code>X509CRL</code>s with delta CRLs.
* @throws AnnotatedException if an exception occurs while picking the delta CRLs.
*/
protected static Set getDeltaCRLs(Date validityDate, X509CRL completeCRL, List<CertStore> certStores, List<PKIXCRLStore> pkixCrlStores) throws AnnotatedException {
X509CRLSelector baseDeltaSelect = new X509CRLSelector();
// 5.2.4 (a)
try {
baseDeltaSelect.addIssuerName(completeCRL.getIssuerX500Principal().getEncoded());
} catch (IOException e) {
throw new AnnotatedException("cannot extract issuer from CRL.", e);
}
BigInteger completeCRLNumber = null;
try {
ASN1Primitive derObject = RevocationUtilities.getExtensionValue(completeCRL, Extension.cRLNumber);
if (derObject != null) {
completeCRLNumber = ASN1Integer.getInstance(derObject).getPositiveValue();
}
} catch (Exception e) {
throw new AnnotatedException("cannot extract CRL number extension from CRL", e);
}
// 5.2.4 (b)
byte[] idp;
try {
idp = completeCRL.getExtensionValue(ISSUING_DISTRIBUTION_POINT);
} catch (Exception e) {
throw new AnnotatedException("issuing distribution point extension value could not be read", e);
}
// 5.2.4 (d)
baseDeltaSelect.setMinCRLNumber(completeCRLNumber == null ? null : completeCRLNumber.add(BigInteger.valueOf(1)));
PKIXCRLStoreSelector.Builder selBuilder = new PKIXCRLStoreSelector.Builder(baseDeltaSelect);
selBuilder.setIssuingDistributionPoint(idp);
selBuilder.setIssuingDistributionPointEnabled(true);
// 5.2.4 (c)
selBuilder.setMaxBaseCRLNumber(completeCRLNumber);
PKIXCRLStoreSelector deltaSelect = selBuilder.build();
// find delta CRLs
Set temp = PKIXCRLUtil.findCRLs(deltaSelect, validityDate, certStores, pkixCrlStores);
Set result = new HashSet();
for (Iterator it = temp.iterator(); it.hasNext(); ) {
X509CRL crl = (X509CRL) it.next();
if (isDeltaCRL(crl)) {
result.add(crl);
}
}
return result;
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
LinkedHashSet(java.util.LinkedHashSet)
X509CRL(java.security.cert.X509CRL)
IOException(java.io.IOException)
PKIXCRLStoreSelector(com.github.zhenwei.provider.jcajce.PKIXCRLStoreSelector)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
CertStoreException(java.security.cert.CertStoreException)
CRLException(java.security.cert.CRLException)
StoreException(com.github.zhenwei.core.util.StoreException)
IOException(java.io.IOException)
Iterator(java.util.Iterator)
BigInteger(java.math.BigInteger)
ASN1Primitive(com.github.zhenwei.core.asn1.ASN1Primitive)
X509CRLSelector(java.security.cert.X509CRLSelector)
HashSet(java.util.HashSet)
LinkedHashSet(java.util.LinkedHashSet)
Example 3 with PKIXCRLStoreSelector
use of com.github.zhenwei.provider.jcajce.PKIXCRLStoreSelector in project LinLong-Java by zhenwei1108.
the class CertPathValidatorUtilities method getCompleteCRLs.
/**
* Fetches complete CRLs according to RFC 3280.
*
* @param dp The distribution point for which the complete CRL
* @param cert The <code>X509Certificate</code> for which the CRL should be searched.
* @param currentDate The date for which the delta CRLs must be valid.
* @param paramsPKIX The extended PKIX parameters.
* @return A <code>Set</code> of <code>X509CRL</code>s with complete CRLs.
* @throws AnnotatedException if an exception occurs while picking the CRLs or no CRLs are found.
*/
protected static Set getCompleteCRLs(PKIXCertRevocationCheckerParameters params, DistributionPoint dp, Object cert, PKIXExtendedParameters paramsPKIX, Date validityDate) throws AnnotatedException, RecoverableCertPathValidatorException {
X509CRLSelector baseCrlSelect = new X509CRLSelector();
try {
Set issuers = new HashSet();
issuers.add(PrincipalUtils.getEncodedIssuerPrincipal(cert));
CertPathValidatorUtilities.getCRLIssuersFromDistributionPoint(dp, issuers, baseCrlSelect);
} catch (AnnotatedException e) {
throw new AnnotatedException("Could not get issuer information from distribution point.", e);
}
if (cert instanceof X509Certificate) {
baseCrlSelect.setCertificateChecking((X509Certificate) cert);
}
PKIXCRLStoreSelector crlSelect = new PKIXCRLStoreSelector.Builder(baseCrlSelect).setCompleteCRLEnabled(true).build();
Set crls = PKIXCRLUtil.findCRLs(crlSelect, validityDate, paramsPKIX.getCertStores(), paramsPKIX.getCRLStores());
checkCRLsNotEmpty(params, crls, cert);
return crls;
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
LinkedHashSet(java.util.LinkedHashSet)
PKIXCRLStoreSelector(com.github.zhenwei.provider.jcajce.PKIXCRLStoreSelector)
X509CRLSelector(java.security.cert.X509CRLSelector)
X509Certificate(java.security.cert.X509Certificate)
HashSet(java.util.HashSet)
LinkedHashSet(java.util.LinkedHashSet)
Example 4 with PKIXCRLStoreSelector
use of com.github.zhenwei.provider.jcajce.PKIXCRLStoreSelector in project LinLong-Java by zhenwei1108.
the class CertPathValidatorUtilities method getDeltaCRLs.
/**
* Fetches delta CRLs according to RFC 3280 section 5.2.4.
*
* @param validityDate The date for which the delta CRLs must be valid.
* @param completeCRL The complete CRL the delta CRL is for.
* @return A <code>Set</code> of <code>X509CRL</code>s with delta CRLs.
* @throws AnnotatedException if an exception occurs while picking the delta CRLs.
*/
protected static Set getDeltaCRLs(Date validityDate, X509CRL completeCRL, List<CertStore> certStores, List<PKIXCRLStore> pkixCrlStores, JcaJceHelper helper) throws AnnotatedException {
X509CRLSelector baseDeltaSelect = new X509CRLSelector();
// 5.2.4 (a)
try {
baseDeltaSelect.addIssuerName(PrincipalUtils.getIssuerPrincipal(completeCRL).getEncoded());
} catch (IOException e) {
throw new AnnotatedException("Cannot extract issuer from CRL.", e);
}
BigInteger completeCRLNumber = null;
try {
ASN1Primitive derObject = CertPathValidatorUtilities.getExtensionValue(completeCRL, CRL_NUMBER);
if (derObject != null) {
completeCRLNumber = ASN1Integer.getInstance(derObject).getPositiveValue();
}
} catch (Exception e) {
throw new AnnotatedException("CRL number extension could not be extracted from CRL.", e);
}
// 5.2.4 (b)
byte[] idp;
try {
idp = completeCRL.getExtensionValue(ISSUING_DISTRIBUTION_POINT);
} catch (Exception e) {
throw new AnnotatedException("Issuing distribution point extension value could not be read.", e);
}
// 5.2.4 (d)
baseDeltaSelect.setMinCRLNumber(completeCRLNumber == null ? null : completeCRLNumber.add(BigInteger.valueOf(1)));
PKIXCRLStoreSelector.Builder selBuilder = new PKIXCRLStoreSelector.Builder(baseDeltaSelect);
selBuilder.setIssuingDistributionPoint(idp);
selBuilder.setIssuingDistributionPointEnabled(true);
// 5.2.4 (c)
selBuilder.setMaxBaseCRLNumber(completeCRLNumber);
PKIXCRLStoreSelector deltaSelect = selBuilder.build();
// find delta CRLs
Set temp = PKIXCRLUtil.findCRLs(deltaSelect, validityDate, certStores, pkixCrlStores);
// if the named CRL store is empty, and we're told to check with CRLDP
if (temp.isEmpty() && Properties.isOverrideSet("com.github.zhenwei.provider.x509.enableCRLDP")) {
CertificateFactory certFact;
try {
certFact = helper.createCertificateFactory("X.509");
} catch (Exception e) {
throw new AnnotatedException("cannot create certificate factory: " + e.getMessage(), e);
}
CRLDistPoint id = CRLDistPoint.getInstance(idp);
DistributionPoint[] dps = id.getDistributionPoints();
for (int i = 0; i < dps.length; i++) {
DistributionPointName dpn = dps[i].getDistributionPoint();
// look for URIs in fullName
if (dpn != null && dpn.getType() == DistributionPointName.FULL_NAME) {
GeneralName[] genNames = GeneralNames.getInstance(dpn.getName()).getNames();
for (int j = 0; j < genNames.length; j++) {
GeneralName name = genNames[i];
if (name.getTagNo() == GeneralName.uniformResourceIdentifier) {
try {
PKIXCRLStore store = CrlCache.getCrl(certFact, validityDate, new URI(((ASN1String) name.getName()).getString()));
if (store != null) {
temp = PKIXCRLUtil.findCRLs(deltaSelect, validityDate, Collections.EMPTY_LIST, Collections.singletonList(store));
}
break;
} catch (Exception e) {
// ignore... TODO: maybe log
}
}
}
}
}
}
Set result = new HashSet();
for (Iterator it = temp.iterator(); it.hasNext(); ) {
X509CRL crl = (X509CRL) it.next();
if (isDeltaCRL(crl)) {
result.add(crl);
}
}
return result;
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
LinkedHashSet(java.util.LinkedHashSet)
X509CRL(java.security.cert.X509CRL)
PKIXCRLStoreSelector(com.github.zhenwei.provider.jcajce.PKIXCRLStoreSelector)
CertificateFactory(java.security.cert.CertificateFactory)
URI(java.net.URI)
Iterator(java.util.Iterator)
DistributionPoint(com.github.zhenwei.core.asn1.x509.DistributionPoint)
CRLDistPoint(com.github.zhenwei.core.asn1.x509.CRLDistPoint)
X509CRLSelector(java.security.cert.X509CRLSelector)
HashSet(java.util.HashSet)
LinkedHashSet(java.util.LinkedHashSet)
DistributionPointName(com.github.zhenwei.core.asn1.x509.DistributionPointName)
IOException(java.io.IOException)
GeneralSecurityException(java.security.GeneralSecurityException)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
ParseException(java.text.ParseException)
CertStoreException(java.security.cert.CertStoreException)
ExtCertPathValidatorException(com.github.zhenwei.provider.jce.exception.ExtCertPathValidatorException)
CRLException(java.security.cert.CRLException)
StoreException(com.github.zhenwei.core.util.StoreException)
CertificateParsingException(java.security.cert.CertificateParsingException)
CertPathBuilderException(java.security.cert.CertPathBuilderException)
IOException(java.io.IOException)
ExtCertPathBuilderException(com.github.zhenwei.provider.jce.exception.ExtCertPathBuilderException)
CRLDistPoint(com.github.zhenwei.core.asn1.x509.CRLDistPoint)
DistributionPoint(com.github.zhenwei.core.asn1.x509.DistributionPoint)
PKIXCRLStore(com.github.zhenwei.provider.jcajce.PKIXCRLStore)
BigInteger(java.math.BigInteger)
GeneralName(com.github.zhenwei.core.asn1.x509.GeneralName)
ASN1String(com.github.zhenwei.core.asn1.ASN1String)
ASN1Primitive(com.github.zhenwei.core.asn1.ASN1Primitive)
Example 5 with PKIXCRLStoreSelector
use of com.github.zhenwei.provider.jcajce.PKIXCRLStoreSelector in project LinLong-Java by zhenwei1108.
the class RFC3280CertPathUtilities method processCRLA1ii.
protected static Set[] processCRLA1ii(PKIXExtendedParameters paramsPKIX, Date currentDate, Date validityDate, X509Certificate cert, X509CRL crl) throws AnnotatedException {
X509CRLSelector crlselect = new X509CRLSelector();
crlselect.setCertificateChecking(cert);
try {
crlselect.addIssuerName(crl.getIssuerX500Principal().getEncoded());
} catch (IOException e) {
throw new AnnotatedException("Cannot extract issuer from CRL." + e, e);
}
PKIXCRLStoreSelector extSelect = new PKIXCRLStoreSelector.Builder(crlselect).setCompleteCRLEnabled(true).build();
Set completeSet = PKIXCRLUtil.findCRLs(extSelect, validityDate, paramsPKIX.getCertStores(), paramsPKIX.getCRLStores());
Set deltaSet = new HashSet();
if (paramsPKIX.isUseDeltasEnabled()) {
// get delta CRL(s)
try {
deltaSet.addAll(RevocationUtilities.getDeltaCRLs(validityDate, crl, paramsPKIX.getCertStores(), paramsPKIX.getCRLStores()));
} catch (AnnotatedException e) {
throw new AnnotatedException("Exception obtaining delta CRLs.", e);
}
}
return new Set[] { completeSet, deltaSet };
}
Also used :
HashSet(java.util.HashSet)
LinkedHashSet(java.util.LinkedHashSet)
Set(java.util.Set)
CertPathBuilder(java.security.cert.CertPathBuilder)
IOException(java.io.IOException)
PKIXCRLStoreSelector(com.github.zhenwei.provider.jcajce.PKIXCRLStoreSelector)
X509CRLSelector(java.security.cert.X509CRLSelector)
HashSet(java.util.HashSet)
LinkedHashSet(java.util.LinkedHashSet)
Aggregations
PKIXCRLStoreSelector (com.github.zhenwei.provider.jcajce.PKIXCRLStoreSelector)5
X509CRLSelector (java.security.cert.X509CRLSelector)5
HashSet (java.util.HashSet)5
LinkedHashSet (java.util.LinkedHashSet)5
Set (java.util.Set)5
IOException (java.io.IOException)3
ASN1Primitive (com.github.zhenwei.core.asn1.ASN1Primitive)2
StoreException (com.github.zhenwei.core.util.StoreException)2
BigInteger (java.math.BigInteger)2
CRLException (java.security.cert.CRLException)2
CertPathValidatorException (java.security.cert.CertPathValidatorException)2
CertStoreException (java.security.cert.CertStoreException)2
X509CRL (java.security.cert.X509CRL)2
X509Certificate (java.security.cert.X509Certificate)2
Iterator (java.util.Iterator)2
ASN1String (com.github.zhenwei.core.asn1.ASN1String)1
CRLDistPoint (com.github.zhenwei.core.asn1.x509.CRLDistPoint)1
DistributionPoint (com.github.zhenwei.core.asn1.x509.DistributionPoint)1
DistributionPointName (com.github.zhenwei.core.asn1.x509.DistributionPointName)1
GeneralName (com.github.zhenwei.core.asn1.x509.GeneralName)1
