Example 86 with X509CRL
use of java.security.cert.X509CRL in project XobotOS by xamarin.
the class X509CertFactoryImpl method getCRL.
/**
* Returns the CRL object corresponding to the encoding provided
* by the stream.
* Resulting object is retrieved from the cache
* if it contains such correspondence
* and is constructed on the base of encoding
* and stored in the cache otherwise.
* @throws IOException if some decoding errors occur
* (in the case of cache miss).
*/
private static CRL getCRL(InputStream inStream) throws CRLException, IOException {
synchronized (CRL_CACHE) {
inStream.mark(CRL_CACHE_SEED_LENGTH);
byte[] buff = readBytes(inStream, CRL_CACHE_SEED_LENGTH);
// read the prefix of the encoding
inStream.reset();
if (buff == null) {
throw new CRLException("InputStream doesn't contain enough data");
}
long hash = CRL_CACHE.getHash(buff);
if (CRL_CACHE.contains(hash)) {
byte[] encoding = new byte[BerInputStream.getLength(buff)];
if (encoding.length < CRL_CACHE_SEED_LENGTH) {
throw new CRLException("Bad CRL encoding");
}
Streams.readFully(inStream, encoding);
CRL res = (CRL) CRL_CACHE.get(hash, encoding);
if (res != null) {
return res;
}
res = new X509CRLImpl(encoding);
CRL_CACHE.put(hash, encoding, res);
return res;
} else {
X509CRL res = new X509CRLImpl(inStream);
CRL_CACHE.put(hash, res.getEncoded(), res);
return res;
}
}
}
Also used :
X509CRL(java.security.cert.X509CRL)
X509CRL(java.security.cert.X509CRL)
CRL(java.security.cert.CRL)
CRLException(java.security.cert.CRLException)
Example 87 with X509CRL
use of java.security.cert.X509CRL in project XobotOS by xamarin.
the class RFC3280CertPathUtilities method checkCRL.
/**
* Checks a distribution point for revocation information for the
* certificate <code>cert</code>.
*
* @param dp The distribution point to consider.
* @param paramsPKIX PKIX parameters.
* @param cert Certificate to check if it is revoked.
* @param validDate The date when the certificate revocation status should be
* checked.
* @param defaultCRLSignCert The issuer certificate of the certificate <code>cert</code>.
* @param defaultCRLSignKey The public key of the issuer certificate
* <code>defaultCRLSignCert</code>.
* @param certStatus The current certificate revocation status.
* @param reasonMask The reasons mask which is already checked.
* @param certPathCerts The certificates of the certification path.
* @throws AnnotatedException if the certificate is revoked or the status cannot be checked
* or some error occurs.
*/
private static void checkCRL(DistributionPoint dp, ExtendedPKIXParameters paramsPKIX, X509Certificate cert, Date validDate, X509Certificate defaultCRLSignCert, PublicKey defaultCRLSignKey, CertStatus certStatus, ReasonsMask reasonMask, List certPathCerts) throws AnnotatedException {
Date currentDate = new Date(System.currentTimeMillis());
if (validDate.getTime() > currentDate.getTime()) {
throw new AnnotatedException("Validation time is in future.");
}
// (a)
/*
* We always get timely valid CRLs, so there is no step (a) (1).
* "locally cached" CRLs are assumed to be in getStore(), additional
* CRLs must be enabled in the ExtendedPKIXParameters and are in
* getAdditionalStore()
*/
Set crls = CertPathValidatorUtilities.getCompleteCRLs(dp, cert, currentDate, paramsPKIX);
boolean validCrlFound = false;
AnnotatedException lastException = null;
Iterator crl_iter = crls.iterator();
while (crl_iter.hasNext() && certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonMask.isAllReasons()) {
try {
X509CRL crl = (X509CRL) crl_iter.next();
// (d)
ReasonsMask interimReasonsMask = RFC3280CertPathUtilities.processCRLD(crl, dp);
/*
* The reasons mask is updated at the end, so only valid CRLs
* can update it. If this CRL does not contain new reasons it
* must be ignored.
*/
if (!interimReasonsMask.hasNewReasons(reasonMask)) {
continue;
}
// (f)
Set keys = RFC3280CertPathUtilities.processCRLF(crl, cert, defaultCRLSignCert, defaultCRLSignKey, paramsPKIX, certPathCerts);
// (g)
PublicKey key = RFC3280CertPathUtilities.processCRLG(crl, keys);
X509CRL deltaCRL = null;
if (paramsPKIX.isUseDeltasEnabled()) {
// get delta CRLs
Set deltaCRLs = CertPathValidatorUtilities.getDeltaCRLs(currentDate, paramsPKIX, crl);
// we only want one valid delta CRL
// (h)
deltaCRL = RFC3280CertPathUtilities.processCRLH(deltaCRLs, key);
}
if (paramsPKIX.getValidityModel() != ExtendedPKIXParameters.CHAIN_VALIDITY_MODEL) {
/*
* if a certificate has expired, but was revoked, it is not
* more in the CRL, so it would be regarded as valid if the
* first check is not done
*/
if (cert.getNotAfter().getTime() < crl.getThisUpdate().getTime()) {
throw new AnnotatedException("No valid CRL for current time found.");
}
}
RFC3280CertPathUtilities.processCRLB1(dp, cert, crl);
// (b) (2)
RFC3280CertPathUtilities.processCRLB2(dp, cert, crl);
// (c)
RFC3280CertPathUtilities.processCRLC(deltaCRL, crl, paramsPKIX);
// (i)
RFC3280CertPathUtilities.processCRLI(validDate, deltaCRL, cert, certStatus, paramsPKIX);
// (j)
RFC3280CertPathUtilities.processCRLJ(validDate, crl, cert, certStatus);
// (k)
if (certStatus.getCertStatus() == CRLReason.removeFromCRL) {
certStatus.setCertStatus(CertStatus.UNREVOKED);
}
// update reasons mask
reasonMask.addReasons(interimReasonsMask);
Set criticalExtensions = crl.getCriticalExtensionOIDs();
if (criticalExtensions != null) {
criticalExtensions = new HashSet(criticalExtensions);
criticalExtensions.remove(X509Extensions.IssuingDistributionPoint.getId());
criticalExtensions.remove(X509Extensions.DeltaCRLIndicator.getId());
if (!criticalExtensions.isEmpty()) {
throw new AnnotatedException("CRL contains unsupported critical extensions.");
}
}
if (deltaCRL != null) {
criticalExtensions = deltaCRL.getCriticalExtensionOIDs();
if (criticalExtensions != null) {
criticalExtensions = new HashSet(criticalExtensions);
criticalExtensions.remove(X509Extensions.IssuingDistributionPoint.getId());
criticalExtensions.remove(X509Extensions.DeltaCRLIndicator.getId());
if (!criticalExtensions.isEmpty()) {
throw new AnnotatedException("Delta CRL contains unsupported critical extension.");
}
}
}
validCrlFound = true;
} catch (AnnotatedException e) {
lastException = e;
}
}
if (!validCrlFound) {
throw lastException;
}
}Example 88 with X509CRL
use of java.security.cert.X509CRL in project XobotOS by xamarin.
the class X509CRLStoreSelector method match.
public boolean match(Object obj) {
if (!(obj instanceof X509CRL)) {
return false;
}
X509CRL crl = (X509CRL) obj;
DERInteger dci = null;
try {
byte[] bytes = crl.getExtensionValue(X509Extensions.DeltaCRLIndicator.getId());
if (bytes != null) {
dci = DERInteger.getInstance(X509ExtensionUtil.fromExtensionValue(bytes));
}
} catch (Exception e) {
return false;
}
if (isDeltaCRLIndicatorEnabled()) {
if (dci == null) {
return false;
}
}
if (isCompleteCRLEnabled()) {
if (dci != null) {
return false;
}
}
if (dci != null) {
if (maxBaseCRLNumber != null) {
if (dci.getPositiveValue().compareTo(maxBaseCRLNumber) == 1) {
return false;
}
}
}
if (issuingDistributionPointEnabled) {
byte[] idp = crl.getExtensionValue(X509Extensions.IssuingDistributionPoint.getId());
if (issuingDistributionPoint == null) {
if (idp != null) {
return false;
}
} else {
if (!Arrays.areEqual(idp, issuingDistributionPoint)) {
return false;
}
}
}
return super.match((X509CRL) obj);
}
Also used :
X509CRL(java.security.cert.X509CRL)
IOException(java.io.IOException)
DERInteger(org.bouncycastle.asn1.DERInteger)
Example 89 with X509CRL
use of java.security.cert.X509CRL in project OpenAM by OpenRock.
the class AMCRLStore method getUpdateCRLFromCrlDP.
/**
* It updates CRL under the dn in the directory server.
* It retrieves CRL distribution points from the parameter
* CRLDistributionPointsExtension dpExt.
*
* @param dpExt
*/
private synchronized X509CRL getUpdateCRLFromCrlDP(CRLDistributionPointsExtension dpExt) {
// Get CRL Distribution points
if (dpExt == null) {
return null;
}
List dps = null;
try {
dps = (List) dpExt.get(CRLDistributionPointsExtension.POINTS);
} catch (IOException ioex) {
if (debug.warningEnabled()) {
debug.warning("AMCRLStore.getUpdateCRLFromCrlDP: ", ioex);
}
}
if (dps == null || dps.isEmpty()) {
return null;
}
for (Object dp1 : dps) {
DistributionPoint dp = (DistributionPoint) dp1;
GeneralNames gName = dp.getFullName();
if (debug.messageEnabled()) {
debug.message("AMCRLStore.getUpdateCRLFromCrlDP: DP = " + gName);
}
byte[] Crls = getCRLsFromGeneralNames(gName);
if (Crls != null && Crls.length > 0) {
try {
return (X509CRL) cf.generateCRL(new ByteArrayInputStream(Crls));
} catch (Exception ex) {
if (debug.warningEnabled()) {
debug.warning("AMCRLStore.getUpdateCRLFromCrlDP: " + "Error in generating X509CRL", ex);
}
}
}
}
return null;
}
Also used :
X509CRL(java.security.cert.X509CRL)
GeneralNames(sun.security.x509.GeneralNames)
ByteArrayInputStream(java.io.ByteArrayInputStream)
List(java.util.List)
IOException(java.io.IOException)
DistributionPoint(sun.security.x509.DistributionPoint)
LdapException(org.forgerock.opendj.ldap.LdapException)
GeneralSecurityException(java.security.GeneralSecurityException)
IOException(java.io.IOException)
LocalizedIllegalArgumentException(org.forgerock.i18n.LocalizedIllegalArgumentException)
Example 90 with X509CRL
use of java.security.cert.X509CRL in project OpenAM by OpenRock.
the class AMCRLStore method getUpdateCRLFromCrlIDP.
/**
* It updates CRL under the dn in the directory server.
* It retrieves CRL distribution points from the parameter
* CRLDistributionPointsExtension dpExt.
*
* @param idpExt
*/
private synchronized X509CRL getUpdateCRLFromCrlIDP(IssuingDistributionPointExtension idpExt) {
GeneralNames gName = idpExt.getFullName();
if (gName == null) {
return null;
}
if (debug.messageEnabled()) {
debug.message("AMCRLStore.getUpdateCRLFromCrlIDP: gName = " + gName);
}
byte[] Crls = getCRLsFromGeneralNames(gName);
X509CRL crl = null;
if (Crls != null) {
try {
crl = (X509CRL) cf.generateCRL(new ByteArrayInputStream(Crls));
} catch (Exception e) {
debug.error("Error in generating X509CRL" + e.toString());
}
}
return crl;
}
Also used :
X509CRL(java.security.cert.X509CRL)
GeneralNames(sun.security.x509.GeneralNames)
ByteArrayInputStream(java.io.ByteArrayInputStream)
LdapException(org.forgerock.opendj.ldap.LdapException)
GeneralSecurityException(java.security.GeneralSecurityException)
IOException(java.io.IOException)
LocalizedIllegalArgumentException(org.forgerock.i18n.LocalizedIllegalArgumentException)
Aggregations
X509CRL (java.security.cert.X509CRL)167
IOException (java.io.IOException)47
File (java.io.File)39
CRLException (java.security.cert.CRLException)39
X509Certificate (java.security.cert.X509Certificate)36
BigInteger (java.math.BigInteger)27
CertificateException (java.security.cert.CertificateException)27
CertificateFactory (java.security.cert.CertificateFactory)26
HashSet (java.util.HashSet)23
Date (java.util.Date)20
GeneralSecurityException (java.security.GeneralSecurityException)18
X509CRLEntry (java.security.cert.X509CRLEntry)18
InputStream (java.io.InputStream)17
Test (org.junit.Test)16
FileOutputStream (java.io.FileOutputStream)14
BufferedOutputStream (java.io.BufferedOutputStream)13
OutputStream (java.io.OutputStream)13
ArrayList (java.util.ArrayList)13
ByteArrayInputStream (java.io.ByteArrayInputStream)12
FileInputStream (java.io.FileInputStream)12
