Examples with X509CRL java.security.cert.X509CRL used on opensource projects

Example 36 with X509CRL

use of java.security.cert.X509CRL in project jdk8u_jdk by JetBrains.

the class Pair method readCRLsFromCert.

/**
     * Returns CRLs described in a X509Certificate's CRLDistributionPoints
     * Extension. Only those containing a general name of type URI are read.
     */
public static List<CRL> readCRLsFromCert(X509Certificate cert) throws Exception {
    List<CRL> crls = new ArrayList<>();
    CRLDistributionPointsExtension ext = X509CertImpl.toImpl(cert).getCRLDistributionPointsExtension();
    if (ext == null)
        return crls;
    List<DistributionPoint> distPoints = ext.get(CRLDistributionPointsExtension.POINTS);
    for (DistributionPoint o : distPoints) {
        GeneralNames names = o.getFullName();
        if (names != null) {
            for (GeneralName name : names.names()) {
                if (name.getType() == GeneralNameInterface.NAME_URI) {
                    URIName uriName = (URIName) name.getName();
                    for (CRL crl : loadCRLs(uriName.getName())) {
                        if (crl instanceof X509CRL) {
                            crls.add((X509CRL) crl);
                        }
                    }
                    // Different name should point to same CRL
                    break;
                }
            }
        }
    }
    return crls;
}

Example 37 with X509CRL

use of java.security.cert.X509CRL in project oxTrust by GluuFederation.

the class SSLService method loadCRL.

/**
 * Load a CRL from the specified stream.
 *
 * @param is Stream to load CRL from
 * @return The CRL
 * @throws Exception Problem encountered while loading the CRL
 */
public static X509CRL loadCRL(InputStream is) throws Exception {
    try {
        CertificateFactory cf = getCertificateFactoryInstance();
        X509CRL crl = (X509CRL) cf.generateCRL(is);
        return crl;
    } finally {
        IOUtils.closeQuietly(is);
    }
}

Example 38 with X509CRL

use of java.security.cert.X509CRL in project cas by apereo.

the class AbstractCRLRevocationChecker method check.

@Override
public void check(final X509Certificate cert) throws GeneralSecurityException {
    if (cert == null) {
        throw new IllegalArgumentException("Certificate cannot be null.");
    }
    LOGGER.debug("Evaluating certificate revocation status for [{}]", CertUtils.toString(cert));
    final Collection<X509CRL> crls = getCRLs(cert);
    if (crls == null || crls.isEmpty()) {
        LOGGER.warn("CRL data is not available for [{}]", CertUtils.toString(cert));
        this.unavailableCRLPolicy.apply(null);
        return;
    }
    final List<X509CRL> expiredCrls = new ArrayList<>();
    final List<X509CRLEntry> revokedCrls;
    crls.stream().filter(CertUtils::isExpired).forEach(crl -> {
        LOGGER.warn("CRL data expired on [{}]", crl.getNextUpdate());
        expiredCrls.add(crl);
    });
    if (crls.size() == expiredCrls.size()) {
        LOGGER.warn("All CRLs retrieved have expired. Applying CRL expiration policy...");
        for (final X509CRL crl : expiredCrls) {
            this.expiredCRLPolicy.apply(crl);
        }
    } else {
        crls.removeAll(expiredCrls);
        LOGGER.debug("Valid CRLs [{}] found that are not expired yet", crls);
        revokedCrls = crls.stream().map(crl -> crl.getRevokedCertificate(cert)).filter(Objects::nonNull).collect(Collectors.toList());
        if (revokedCrls.size() == crls.size()) {
            final X509CRLEntry entry = revokedCrls.get(0);
            LOGGER.warn("All CRL entries have been revoked. Rejecting the first entry [{}]", entry);
            throw new RevokedCertificateException(entry);
        }
    }
}

Example 39 with X509CRL

use of java.security.cert.X509CRL in project cxf by apache.

the class TrustedAuthorityValidator method isCertificateChainValid.

/**
 * Checks if a certificate is signed by a trusted authority.
 *
 * @param x509Certificate to check
 * @return the validity state of the certificate
 */
boolean isCertificateChainValid(List<X509Certificate> certificates) {
    X509Certificate targetCert = certificates.get(0);
    X509CertSelector selector = new X509CertSelector();
    selector.setCertificate(targetCert);
    try {
        List<X509Certificate> intermediateCerts = certRepo.getCaCerts();
        List<X509Certificate> trustedAuthorityCerts = certRepo.getTrustedCaCerts();
        Set<TrustAnchor> trustAnchors = asTrustAnchors(trustedAuthorityCerts);
        CertStoreParameters intermediateParams = new CollectionCertStoreParameters(intermediateCerts);
        CertStoreParameters certificateParams = new CollectionCertStoreParameters(certificates);
        PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
        pkixParams.addCertStore(CertStore.getInstance("Collection", intermediateParams));
        pkixParams.addCertStore(CertStore.getInstance("Collection", certificateParams));
        pkixParams.setRevocationEnabled(false);
        CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
        CertPath certPath = builder.build(pkixParams).getCertPath();
        // Now validate the CertPath (including CRL checking)
        if (enableRevocation) {
            List<X509CRL> crls = certRepo.getCRLs();
            if (!crls.isEmpty()) {
                pkixParams.setRevocationEnabled(true);
                CertStoreParameters crlParams = new CollectionCertStoreParameters(crls);
                pkixParams.addCertStore(CertStore.getInstance("Collection", crlParams));
            }
        }
        CertPathValidator validator = CertPathValidator.getInstance("PKIX");
        validator.validate(certPath, pkixParams);
    } catch (InvalidAlgorithmParameterException e) {
        LOG.log(Level.WARNING, "Invalid algorithm parameter by certificate chain validation. " + "It is likely that issuer certificates are not found in XKMS trusted storage. " + e.getMessage(), e);
        return false;
    } catch (NoSuchAlgorithmException e) {
        LOG.log(Level.WARNING, "Unknown algorithm by trust chain validation: " + e.getMessage(), e);
        return false;
    } catch (CertPathBuilderException e) {
        LOG.log(Level.WARNING, "Cannot build certification path: " + e.getMessage(), e);
        return false;
    } catch (CertPathValidatorException e) {
        LOG.log(Level.WARNING, "Cannot vaidate certification path: " + e.getMessage(), e);
        return false;
    }
    return true;
}

Example 40 with X509CRL

use of java.security.cert.X509CRL in project cxf by apache.

the class TrustedAuthorityValidatorCRLTest method readCRL.

private static X509CRL readCRL(String path) throws CertificateException, CRLException {
    InputStream inputStream = TrustedAuthorityValidatorCRLTest.class.getResourceAsStream(PATH_TO_RESOURCES + path);
    CertificateFactory cf = CertificateFactory.getInstance("X.509");
    return (X509CRL) cf.generateCRL(inputStream);
}