Example 21 with DistributionPoint
use of de.carne.certmgr.certs.x509.DistributionPoint in project nhin-d by DirectProject.
the class CRLRevocationManager method loadCRLs.
/**
* Extract and fetch all CRLs stored within a given certificate. Cache is
* updated per policy or if the cached CRL has passed planned update date.
* This method is thread safe.
*
* @param certificate
* The certificate from which to extract and fetch CRLs.
* @return The first CRL loaded from the certificate CRL distribution points
* @throws CRLException
*/
protected X509CRL loadCRLs(X509Certificate certificate) {
if (certificate == null)
return null;
X509CRL retVal = null;
try {
// get the distribution points extension
CRLDistPoint distPoints = CRLDistPoint.getInstance(getExtensionValue(certificate, X509Extensions.CRLDistributionPoints.getId()));
// Add CRL distribution point(s)
if (distPoints != null) {
// iterate through the distribution points and get the first CRL that can be obtained
for (DistributionPoint distPoint : distPoints.getDistributionPoints()) {
String distPointURL = distPoint.getDistributionPoint().getName().toString();
if (distPointURL.startsWith("General")) {
// get the actual URL associated with the name
distPointURL = getNameString(distPointURL);
}
// get the CRL from the distribution point CRL
retVal = getCrlFromUri(distPointURL);
if (retVal != null)
// do we need to retrieve the list from each CRL, or is each dist point identical?
return retVal;
}
}
} catch (Exception e) {
if (LOGGER.isWarnEnabled())
LOGGER.warn("Unable to handle CDP CRL(s): " + e.getMessage());
}
return null;
}
Also used :
X509CRL(java.security.cert.X509CRL)
DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
AnnotatedException(org.bouncycastle.jce.provider.AnnotatedException)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
NHINDException(org.nhindirect.stagent.NHINDException)
CRLException(java.security.cert.CRLException)
NoSuchProviderException(java.security.NoSuchProviderException)
Example 22 with DistributionPoint
use of de.carne.certmgr.certs.x509.DistributionPoint in project poi by apache.
the class PkiTestUtils method generateCertificate.
static X509Certificate generateCertificate(PublicKey subjectPublicKey, String subjectDn, Date notBefore, Date notAfter, X509Certificate issuerCertificate, PrivateKey issuerPrivateKey, boolean caFlag, int pathLength, String crlUri, String ocspUri, KeyUsage keyUsage) throws IOException, OperatorCreationException, CertificateException {
String signatureAlgorithm = "SHA1withRSA";
X500Name issuerName;
if (issuerCertificate != null) {
issuerName = new X509CertificateHolder(issuerCertificate.getEncoded()).getIssuer();
} else {
issuerName = new X500Name(subjectDn);
}
RSAPublicKey rsaPubKey = (RSAPublicKey) subjectPublicKey;
RSAKeyParameters rsaSpec = new RSAKeyParameters(false, rsaPubKey.getModulus(), rsaPubKey.getPublicExponent());
SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfoFactory.createSubjectPublicKeyInfo(rsaSpec);
DigestCalculator digestCalc = new JcaDigestCalculatorProviderBuilder().setProvider("BC").build().get(CertificateID.HASH_SHA1);
X509v3CertificateBuilder certificateGenerator = new X509v3CertificateBuilder(issuerName, new BigInteger(128, new SecureRandom()), notBefore, notAfter, new X500Name(subjectDn), subjectPublicKeyInfo);
X509ExtensionUtils exUtils = new X509ExtensionUtils(digestCalc);
SubjectKeyIdentifier subKeyId = exUtils.createSubjectKeyIdentifier(subjectPublicKeyInfo);
AuthorityKeyIdentifier autKeyId = (issuerCertificate != null) ? exUtils.createAuthorityKeyIdentifier(new X509CertificateHolder(issuerCertificate.getEncoded())) : exUtils.createAuthorityKeyIdentifier(subjectPublicKeyInfo);
certificateGenerator.addExtension(Extension.subjectKeyIdentifier, false, subKeyId);
certificateGenerator.addExtension(Extension.authorityKeyIdentifier, false, autKeyId);
if (caFlag) {
BasicConstraints bc;
if (-1 == pathLength) {
bc = new BasicConstraints(true);
} else {
bc = new BasicConstraints(pathLength);
}
certificateGenerator.addExtension(Extension.basicConstraints, false, bc);
}
if (null != crlUri) {
int uri = GeneralName.uniformResourceIdentifier;
DERIA5String crlUriDer = new DERIA5String(crlUri);
GeneralName gn = new GeneralName(uri, crlUriDer);
DERSequence gnDer = new DERSequence(gn);
GeneralNames gns = GeneralNames.getInstance(gnDer);
DistributionPointName dpn = new DistributionPointName(0, gns);
DistributionPoint distp = new DistributionPoint(dpn, null, null);
DERSequence distpDer = new DERSequence(distp);
certificateGenerator.addExtension(Extension.cRLDistributionPoints, false, distpDer);
}
if (null != ocspUri) {
int uri = GeneralName.uniformResourceIdentifier;
GeneralName ocspName = new GeneralName(uri, ocspUri);
AuthorityInformationAccess authorityInformationAccess = new AuthorityInformationAccess(X509ObjectIdentifiers.ocspAccessMethod, ocspName);
certificateGenerator.addExtension(Extension.authorityInfoAccess, false, authorityInformationAccess);
}
if (null != keyUsage) {
certificateGenerator.addExtension(Extension.keyUsage, true, keyUsage);
}
JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder(signatureAlgorithm);
signerBuilder.setProvider("BC");
X509CertificateHolder certHolder = certificateGenerator.build(signerBuilder.build(issuerPrivateKey));
// .getEncoded()));
return new JcaX509CertificateConverter().getCertificate(certHolder);
}
Also used :
AuthorityInformationAccess(org.bouncycastle.asn1.x509.AuthorityInformationAccess)
JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)
DigestCalculator(org.bouncycastle.operator.DigestCalculator)
AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
X500Name(org.bouncycastle.asn1.x500.X500Name)
SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
RSAKeyParameters(org.bouncycastle.crypto.params.RSAKeyParameters)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
DERSequence(org.bouncycastle.asn1.DERSequence)
RSAPublicKey(java.security.interfaces.RSAPublicKey)
JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)
DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)
DistributionPointName(org.bouncycastle.asn1.x509.DistributionPointName)
SecureRandom(java.security.SecureRandom)
SubjectKeyIdentifier(org.bouncycastle.asn1.x509.SubjectKeyIdentifier)
DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)
GeneralNames(org.bouncycastle.asn1.x509.GeneralNames)
X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
BigInteger(java.math.BigInteger)
JcaDigestCalculatorProviderBuilder(org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
X509ExtensionUtils(org.bouncycastle.cert.X509ExtensionUtils)
BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)
Example 23 with DistributionPoint
use of de.carne.certmgr.certs.x509.DistributionPoint in project xipki by xipki.
the class CaUtil method createCrlDistributionPoints.
public static CRLDistPoint createCrlDistributionPoints(List<String> crlUris, X500Name caSubject, X500Name crlSignerSubject) {
ParamUtil.requireNonEmpty("crlUris", crlUris);
int size = crlUris.size();
DistributionPoint[] points = new DistributionPoint[1];
GeneralName[] names = new GeneralName[size];
for (int i = 0; i < size; i++) {
names[i] = new GeneralName(GeneralName.uniformResourceIdentifier, crlUris.get(i));
}
// Distribution Point
GeneralNames gns = new GeneralNames(names);
DistributionPointName pointName = new DistributionPointName(gns);
GeneralNames crlIssuer = null;
if (crlSignerSubject != null && !crlSignerSubject.equals(caSubject)) {
GeneralName crlIssuerName = new GeneralName(crlSignerSubject);
crlIssuer = new GeneralNames(crlIssuerName);
}
points[0] = new DistributionPoint(pointName, null, crlIssuer);
return new CRLDistPoint(points);
}
Also used :
GeneralNames(org.bouncycastle.asn1.x509.GeneralNames)
DistributionPointName(org.bouncycastle.asn1.x509.DistributionPointName)
DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
Example 24 with DistributionPoint
use of de.carne.certmgr.certs.x509.DistributionPoint in project xipki by xipki.
the class ExtensionsChecker method checkExtensionCrlDistributionPoints.
// method checkExtensionIssuerAltNames
private void checkExtensionCrlDistributionPoints(StringBuilder failureMsg, byte[] extensionValue, X509IssuerInfo issuerInfo) {
CRLDistPoint isCrlDistPoints = CRLDistPoint.getInstance(extensionValue);
DistributionPoint[] isDistributionPoints = isCrlDistPoints.getDistributionPoints();
if (isDistributionPoints == null) {
addViolation(failureMsg, "size of CRLDistributionPoints", 0, 1);
return;
} else {
int len = isDistributionPoints.length;
if (len != 1) {
addViolation(failureMsg, "size of CRLDistributionPoints", len, 1);
return;
}
}
Set<String> isCrlUrls = new HashSet<>();
for (DistributionPoint entry : isDistributionPoints) {
int asn1Type = entry.getDistributionPoint().getType();
if (asn1Type != DistributionPointName.FULL_NAME) {
addViolation(failureMsg, "tag of DistributionPointName of CRLDistibutionPoints", asn1Type, DistributionPointName.FULL_NAME);
continue;
}
GeneralNames isDistributionPointNames = GeneralNames.getInstance(entry.getDistributionPoint().getName());
GeneralName[] names = isDistributionPointNames.getNames();
for (int i = 0; i < names.length; i++) {
GeneralName name = names[i];
if (name.getTagNo() != GeneralName.uniformResourceIdentifier) {
addViolation(failureMsg, "tag of CRL URL", name.getTagNo(), GeneralName.uniformResourceIdentifier);
} else {
String uri = ((ASN1String) name.getName()).getString();
isCrlUrls.add(uri);
}
}
Set<String> expCrlUrls = issuerInfo.getCrlUrls();
Set<String> diffs = strInBnotInA(expCrlUrls, isCrlUrls);
if (CollectionUtil.isNonEmpty(diffs)) {
failureMsg.append("CRL URLs ").append(diffs).append(" are present but not expected; ");
}
diffs = strInBnotInA(isCrlUrls, expCrlUrls);
if (CollectionUtil.isNonEmpty(diffs)) {
failureMsg.append("CRL URLs ").append(diffs).append(" are absent but are required; ");
}
}
}
Also used :
GeneralNames(org.bouncycastle.asn1.x509.GeneralNames)
DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DERBMPString(org.bouncycastle.asn1.DERBMPString)
DERPrintableString(org.bouncycastle.asn1.DERPrintableString)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
ASN1String(org.bouncycastle.asn1.ASN1String)
DirectoryString(org.bouncycastle.asn1.x500.DirectoryString)
QaDirectoryString(org.xipki.ca.qa.internal.QaDirectoryString)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
DERT61String(org.bouncycastle.asn1.DERT61String)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
ASN1String(org.bouncycastle.asn1.ASN1String)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)
HashSet(java.util.HashSet)
Example 25 with DistributionPoint
use of de.carne.certmgr.certs.x509.DistributionPoint in project xipki by xipki.
the class ExtensionsChecker method checkExtensionDeltaCrlDistributionPoints.
// method checkExtensionCrlDistributionPoints
private void checkExtensionDeltaCrlDistributionPoints(StringBuilder failureMsg, byte[] extensionValue, X509IssuerInfo issuerInfo) {
CRLDistPoint isCrlDistPoints = CRLDistPoint.getInstance(extensionValue);
DistributionPoint[] isDistributionPoints = isCrlDistPoints.getDistributionPoints();
if (isDistributionPoints == null) {
addViolation(failureMsg, "size of CRLDistributionPoints (deltaCRL)", 0, 1);
return;
} else {
int len = isDistributionPoints.length;
if (len != 1) {
addViolation(failureMsg, "size of CRLDistributionPoints (deltaCRL)", len, 1);
return;
}
}
Set<String> isCrlUrls = new HashSet<>();
for (DistributionPoint entry : isDistributionPoints) {
int asn1Type = entry.getDistributionPoint().getType();
if (asn1Type != DistributionPointName.FULL_NAME) {
addViolation(failureMsg, "tag of DistributionPointName of CRLDistibutionPoints (deltaCRL)", asn1Type, DistributionPointName.FULL_NAME);
continue;
}
GeneralNames isDistributionPointNames = GeneralNames.getInstance(entry.getDistributionPoint().getName());
GeneralName[] names = isDistributionPointNames.getNames();
for (int i = 0; i < names.length; i++) {
GeneralName name = names[i];
if (name.getTagNo() != GeneralName.uniformResourceIdentifier) {
addViolation(failureMsg, "tag of deltaCRL URL", name.getTagNo(), GeneralName.uniformResourceIdentifier);
} else {
String uri = ((ASN1String) name.getName()).getString();
isCrlUrls.add(uri);
}
}
Set<String> expCrlUrls = issuerInfo.getCrlUrls();
Set<String> diffs = strInBnotInA(expCrlUrls, isCrlUrls);
if (CollectionUtil.isNonEmpty(diffs)) {
failureMsg.append("deltaCRL URLs ").append(diffs).append(" are present but not expected; ");
}
diffs = strInBnotInA(isCrlUrls, expCrlUrls);
if (CollectionUtil.isNonEmpty(diffs)) {
failureMsg.append("deltaCRL URLs ").append(diffs).append(" are absent but are required; ");
}
}
}
Also used :
GeneralNames(org.bouncycastle.asn1.x509.GeneralNames)
DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DERBMPString(org.bouncycastle.asn1.DERBMPString)
DERPrintableString(org.bouncycastle.asn1.DERPrintableString)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
ASN1String(org.bouncycastle.asn1.ASN1String)
DirectoryString(org.bouncycastle.asn1.x500.DirectoryString)
QaDirectoryString(org.xipki.ca.qa.internal.QaDirectoryString)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
DERT61String(org.bouncycastle.asn1.DERT61String)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
ASN1String(org.bouncycastle.asn1.ASN1String)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)
HashSet(java.util.HashSet)
Aggregations
DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)24
CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)21
GeneralName (org.bouncycastle.asn1.x509.GeneralName)20
IOException (java.io.IOException)14
DistributionPointName (org.bouncycastle.asn1.x509.DistributionPointName)12
DERIA5String (org.bouncycastle.asn1.DERIA5String)9
GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)9
IssuingDistributionPoint (org.bouncycastle.asn1.x509.IssuingDistributionPoint)8
GeneralSecurityException (java.security.GeneralSecurityException)7
ArrayList (java.util.ArrayList)7
CertPathValidatorException (java.security.cert.CertPathValidatorException)6
List (java.util.List)6
ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)5
ASN1Primitive (org.bouncycastle.asn1.ASN1Primitive)5
DEROctetString (org.bouncycastle.asn1.DEROctetString)5
ExtCertPathValidatorException (org.bouncycastle.jce.exception.ExtCertPathValidatorException)5
DistributionPoint (de.carne.certmgr.certs.x509.DistributionPoint)4
CertPathBuilderException (java.security.cert.CertPathBuilderException)4
CertificateExpiredException (java.security.cert.CertificateExpiredException)4
CertificateNotYetValidException (java.security.cert.CertificateNotYetValidException)4
