Example 31 with X509CRL
use of java.security.cert.X509CRL in project robovm by robovm.
the class X509CRLTest method verify.
private void verify(CertificateFactory f) throws Exception {
X509CRL crlRsa = getCRL(f, CRL_RSA);
X509Certificate caCert = getCertificate(f, CERT_CRL_CA);
crlRsa.verify(caCert.getPublicKey());
X509Certificate dsaCert = getCertificate(f, CERT_DSA);
try {
crlRsa.verify(dsaCert.getPublicKey());
fail("should not verify using incorrect key type");
} catch (InvalidKeyException expected) {
}
}
Also used :
X509CRL(java.security.cert.X509CRL)
InvalidKeyException(java.security.InvalidKeyException)
X509Certificate(java.security.cert.X509Certificate)
Example 32 with X509CRL
use of java.security.cert.X509CRL in project robovm by robovm.
the class X509CRLTest method getSigAlgParams.
private void getSigAlgParams(CertificateFactory f) throws Exception {
X509CRL crl1 = getCRL(f, CRL_RSA);
final byte[] sigAlgParams = crl1.getSigAlgParams();
if (StandardNames.IS_RI) {
assertNull(f.getProvider().getName(), sigAlgParams);
} else {
assertNotNull(f.getProvider().getName(), sigAlgParams);
/* ASN.1 NULL */
final byte[] expected = new byte[] { 0x05, 0x00 };
assertEquals(f.getProvider().getName(), Arrays.toString(expected), Arrays.toString(sigAlgParams));
}
{
X509CRL crlSigOpt = getCRL(f, CRL_RSA_DSA_SIGOPT);
/* SEQUENCE, INTEGER 1 */
final byte[] expected = new byte[] { /* SEQUENCE, constructed, len=5 */
(byte) 0x30, (byte) 0x05, /* Type=2, constructed, context-specific, len=3 */
(byte) 0xA2, (byte) 0x03, /* INTEGER, len=1, value=1 */
(byte) 0x02, (byte) 0x01, (byte) 0x01 };
final byte[] params = crlSigOpt.getSigAlgParams();
assertNotNull(f.getProvider().getName(), params);
assertEquals(Arrays.toString(expected), Arrays.toString(params));
}
}
Also used :
X509CRL(java.security.cert.X509CRL)
Example 33 with X509CRL
use of java.security.cert.X509CRL in project robovm by robovm.
the class X509CRLTest method test_equals.
private void test_equals(CertificateFactory f) throws Exception {
X509CRL crl1 = getCRL(f, CRL_RSA);
X509CRL crl2 = getCRL(f, CRL_RSA);
X509Certificate rsaCert = getCertificate(f, CERT_RSA);
X509CRL crlRsaDsa = getCRL(f, CRL_RSA_DSA);
assertEquals(crl1, crl2);
assertFalse(crl1.equals(crlRsaDsa));
X509CRLEntry entry1 = crl1.getRevokedCertificate(rsaCert);
assertNotNull(entry1);
X509CRLEntry entry2 = crl2.getRevokedCertificate(rsaCert);
assertNotNull(entry2);
assertEquals(entry1, entry2);
}
Also used :
X509CRLEntry(java.security.cert.X509CRLEntry)
X509CRL(java.security.cert.X509CRL)
X509Certificate(java.security.cert.X509Certificate)
Example 34 with X509CRL
use of java.security.cert.X509CRL in project robovm by robovm.
the class RFC3280CertPathUtilities method checkCRL.
/**
* Checks a distribution point for revocation information for the
* certificate <code>cert</code>.
*
* @param dp The distribution point to consider.
* @param paramsPKIX PKIX parameters.
* @param cert Certificate to check if it is revoked.
* @param validDate The date when the certificate revocation status should be
* checked.
* @param defaultCRLSignCert The issuer certificate of the certificate <code>cert</code>.
* @param defaultCRLSignKey The public key of the issuer certificate
* <code>defaultCRLSignCert</code>.
* @param certStatus The current certificate revocation status.
* @param reasonMask The reasons mask which is already checked.
* @param certPathCerts The certificates of the certification path.
* @throws AnnotatedException if the certificate is revoked or the status cannot be checked
* or some error occurs.
*/
private static void checkCRL(DistributionPoint dp, ExtendedPKIXParameters paramsPKIX, X509Certificate cert, Date validDate, X509Certificate defaultCRLSignCert, PublicKey defaultCRLSignKey, CertStatus certStatus, ReasonsMask reasonMask, List certPathCerts) throws AnnotatedException {
Date currentDate = new Date(System.currentTimeMillis());
if (validDate.getTime() > currentDate.getTime()) {
throw new AnnotatedException("Validation time is in future.");
}
// (a)
/*
* We always get timely valid CRLs, so there is no step (a) (1).
* "locally cached" CRLs are assumed to be in getStore(), additional
* CRLs must be enabled in the ExtendedPKIXParameters and are in
* getAdditionalStore()
*/
Set crls = CertPathValidatorUtilities.getCompleteCRLs(dp, cert, currentDate, paramsPKIX);
boolean validCrlFound = false;
AnnotatedException lastException = null;
Iterator crl_iter = crls.iterator();
while (crl_iter.hasNext() && certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonMask.isAllReasons()) {
try {
X509CRL crl = (X509CRL) crl_iter.next();
// (d)
ReasonsMask interimReasonsMask = RFC3280CertPathUtilities.processCRLD(crl, dp);
/*
* The reasons mask is updated at the end, so only valid CRLs
* can update it. If this CRL does not contain new reasons it
* must be ignored.
*/
if (!interimReasonsMask.hasNewReasons(reasonMask)) {
continue;
}
// (f)
Set keys = RFC3280CertPathUtilities.processCRLF(crl, cert, defaultCRLSignCert, defaultCRLSignKey, paramsPKIX, certPathCerts);
// (g)
PublicKey key = RFC3280CertPathUtilities.processCRLG(crl, keys);
X509CRL deltaCRL = null;
if (paramsPKIX.isUseDeltasEnabled()) {
// get delta CRLs
Set deltaCRLs = CertPathValidatorUtilities.getDeltaCRLs(currentDate, paramsPKIX, crl);
// we only want one valid delta CRL
// (h)
deltaCRL = RFC3280CertPathUtilities.processCRLH(deltaCRLs, key);
}
if (paramsPKIX.getValidityModel() != ExtendedPKIXParameters.CHAIN_VALIDITY_MODEL) {
/*
* if a certificate has expired, but was revoked, it is not
* more in the CRL, so it would be regarded as valid if the
* first check is not done
*/
if (cert.getNotAfter().getTime() < crl.getThisUpdate().getTime()) {
throw new AnnotatedException("No valid CRL for current time found.");
}
}
RFC3280CertPathUtilities.processCRLB1(dp, cert, crl);
// (b) (2)
RFC3280CertPathUtilities.processCRLB2(dp, cert, crl);
// (c)
RFC3280CertPathUtilities.processCRLC(deltaCRL, crl, paramsPKIX);
// (i)
RFC3280CertPathUtilities.processCRLI(validDate, deltaCRL, cert, certStatus, paramsPKIX);
// (j)
RFC3280CertPathUtilities.processCRLJ(validDate, crl, cert, certStatus);
// (k)
if (certStatus.getCertStatus() == CRLReason.removeFromCRL) {
certStatus.setCertStatus(CertStatus.UNREVOKED);
}
// update reasons mask
reasonMask.addReasons(interimReasonsMask);
Set criticalExtensions = crl.getCriticalExtensionOIDs();
if (criticalExtensions != null) {
criticalExtensions = new HashSet(criticalExtensions);
criticalExtensions.remove(X509Extensions.IssuingDistributionPoint.getId());
criticalExtensions.remove(X509Extensions.DeltaCRLIndicator.getId());
if (!criticalExtensions.isEmpty()) {
throw new AnnotatedException("CRL contains unsupported critical extensions.");
}
}
if (deltaCRL != null) {
criticalExtensions = deltaCRL.getCriticalExtensionOIDs();
if (criticalExtensions != null) {
criticalExtensions = new HashSet(criticalExtensions);
criticalExtensions.remove(X509Extensions.IssuingDistributionPoint.getId());
criticalExtensions.remove(X509Extensions.DeltaCRLIndicator.getId());
if (!criticalExtensions.isEmpty()) {
throw new AnnotatedException("Delta CRL contains unsupported critical extension.");
}
}
}
validCrlFound = true;
} catch (AnnotatedException e) {
lastException = e;
}
}
if (!validCrlFound) {
throw lastException;
}
}Example 35 with X509CRL
use of java.security.cert.X509CRL in project jdk8u_jdk by JetBrains.
the class PKCS7 method encodeSignedData.
/**
* Encodes the signed data to a DerOutputStream.
*
* @param out the DerOutputStream to write the encoded data to.
* @exception IOException on encoding errors.
*/
public void encodeSignedData(DerOutputStream out) throws IOException {
DerOutputStream signedData = new DerOutputStream();
// version
signedData.putInteger(version);
// digestAlgorithmIds
signedData.putOrderedSetOf(DerValue.tag_Set, digestAlgorithmIds);
// contentInfo
contentInfo.encode(signedData);
// certificates (optional)
if (certificates != null && certificates.length != 0) {
// cast to X509CertImpl[] since X509CertImpl implements DerEncoder
X509CertImpl[] implCerts = new X509CertImpl[certificates.length];
for (int i = 0; i < certificates.length; i++) {
if (certificates[i] instanceof X509CertImpl)
implCerts[i] = (X509CertImpl) certificates[i];
else {
try {
byte[] encoded = certificates[i].getEncoded();
implCerts[i] = new X509CertImpl(encoded);
} catch (CertificateException ce) {
throw new IOException(ce);
}
}
}
// Add the certificate set (tagged with [0] IMPLICIT)
// to the signed data
signedData.putOrderedSetOf((byte) 0xA0, implCerts);
}
// CRLs (optional)
if (crls != null && crls.length != 0) {
// cast to X509CRLImpl[] since X509CRLImpl implements DerEncoder
Set<X509CRLImpl> implCRLs = new HashSet<X509CRLImpl>(crls.length);
for (X509CRL crl : crls) {
if (crl instanceof X509CRLImpl)
implCRLs.add((X509CRLImpl) crl);
else {
try {
byte[] encoded = crl.getEncoded();
implCRLs.add(new X509CRLImpl(encoded));
} catch (CRLException ce) {
throw new IOException(ce);
}
}
}
// Add the CRL set (tagged with [1] IMPLICIT)
// to the signed data
signedData.putOrderedSetOf((byte) 0xA1, implCRLs.toArray(new X509CRLImpl[implCRLs.size()]));
}
// signerInfos
signedData.putOrderedSetOf(DerValue.tag_Set, signerInfos);
// making it a signed data block
DerValue signedDataSeq = new DerValue(DerValue.tag_Sequence, signedData.toByteArray());
// making it a content info sequence
ContentInfo block = new ContentInfo(ContentInfo.SIGNED_DATA_OID, signedDataSeq);
// writing out the contentInfo sequence
block.encode(out);
}
Also used :
X509CRL(java.security.cert.X509CRL)
CertificateException(java.security.cert.CertificateException)
X509CertImpl(sun.security.x509.X509CertImpl)
X509CRLImpl(sun.security.x509.X509CRLImpl)
CRLException(java.security.cert.CRLException)
Aggregations
X509CRL (java.security.cert.X509CRL)78
IOException (java.io.IOException)24
CRLException (java.security.cert.CRLException)16
X509Certificate (java.security.cert.X509Certificate)15
File (java.io.File)13
CertificateException (java.security.cert.CertificateException)10
CertificateFactory (java.security.cert.CertificateFactory)9
GeneralSecurityException (java.security.GeneralSecurityException)8
CRL (java.security.cert.CRL)7
ArrayList (java.util.ArrayList)7
Iterator (java.util.Iterator)7
ByteArrayInputStream (java.io.ByteArrayInputStream)6
InputStream (java.io.InputStream)6
Calendar (java.util.Calendar)6
HashSet (java.util.HashSet)6
Set (java.util.Set)6
Date (java.util.Date)5
LocalizedIllegalArgumentException (org.forgerock.i18n.LocalizedIllegalArgumentException)5
LdapException (org.forgerock.opendj.ldap.LdapException)5
FileInputStream (java.io.FileInputStream)4
