Example 11 with X509CRLEntry
use of java.security.cert.X509CRLEntry in project jdk8u_jdk by JetBrains.
the class Pair method doGenCRL.
private void doGenCRL(PrintStream out) throws Exception {
if (ids == null) {
throw new Exception("Must provide -id when -gencrl");
}
Certificate signerCert = keyStore.getCertificate(alias);
byte[] encoded = signerCert.getEncoded();
X509CertImpl signerCertImpl = new X509CertImpl(encoded);
X509CertInfo signerCertInfo = (X509CertInfo) signerCertImpl.get(X509CertImpl.NAME + "." + X509CertImpl.INFO);
X500Name owner = (X500Name) signerCertInfo.get(X509CertInfo.SUBJECT + "." + X509CertInfo.DN_NAME);
Date firstDate = getStartDate(startDate);
Date lastDate = (Date) firstDate.clone();
lastDate.setTime(lastDate.getTime() + validity * 1000 * 24 * 60 * 60);
CertificateValidity interval = new CertificateValidity(firstDate, lastDate);
PrivateKey privateKey = (PrivateKey) recoverKey(alias, storePass, keyPass).fst;
if (sigAlgName == null) {
sigAlgName = getCompatibleSigAlgName(privateKey.getAlgorithm());
}
X509CRLEntry[] badCerts = new X509CRLEntry[ids.size()];
for (int i = 0; i < ids.size(); i++) {
String id = ids.get(i);
int d = id.indexOf(':');
if (d >= 0) {
CRLExtensions ext = new CRLExtensions();
ext.set("Reason", new CRLReasonCodeExtension(Integer.parseInt(id.substring(d + 1))));
badCerts[i] = new X509CRLEntryImpl(new BigInteger(id.substring(0, d)), firstDate, ext);
} else {
badCerts[i] = new X509CRLEntryImpl(new BigInteger(ids.get(i)), firstDate);
}
}
X509CRLImpl crl = new X509CRLImpl(owner, firstDate, lastDate, badCerts);
crl.sign(privateKey, sigAlgName);
if (rfc) {
out.println("-----BEGIN X509 CRL-----");
out.println(Base64.getMimeEncoder(64, CRLF).encodeToString(crl.getEncodedInternal()));
out.println("-----END X509 CRL-----");
} else {
out.write(crl.getEncodedInternal());
}
}
Also used :
PrivateKey(java.security.PrivateKey)
KeyStoreException(java.security.KeyStoreException)
UnrecoverableEntryException(java.security.UnrecoverableEntryException)
CertStoreException(java.security.cert.CertStoreException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
UnrecoverableKeyException(java.security.UnrecoverableKeyException)
CertificateException(java.security.cert.CertificateException)
X509CRLEntry(java.security.cert.X509CRLEntry)
BigInteger(java.math.BigInteger)
X509Certificate(java.security.cert.X509Certificate)
Certificate(java.security.cert.Certificate)
Example 12 with X509CRLEntry
use of java.security.cert.X509CRLEntry in project cas by apereo.
the class AbstractCRLRevocationChecker method check.
@Override
public void check(final X509Certificate cert) throws GeneralSecurityException {
if (cert == null) {
throw new IllegalArgumentException("Certificate cannot be null.");
}
LOGGER.debug("Evaluating certificate revocation status for [{}]", CertUtils.toString(cert));
final Collection<X509CRL> crls = getCRLs(cert);
if (crls == null || crls.isEmpty()) {
LOGGER.warn("CRL data is not available for [{}]", CertUtils.toString(cert));
this.unavailableCRLPolicy.apply(null);
return;
}
final List<X509CRL> expiredCrls = new ArrayList<>();
final List<X509CRLEntry> revokedCrls;
crls.stream().filter(CertUtils::isExpired).forEach(crl -> {
LOGGER.warn("CRL data expired on [{}]", crl.getNextUpdate());
expiredCrls.add(crl);
});
if (crls.size() == expiredCrls.size()) {
LOGGER.warn("All CRLs retrieved have expired. Applying CRL expiration policy...");
for (final X509CRL crl : expiredCrls) {
this.expiredCRLPolicy.apply(crl);
}
} else {
crls.removeAll(expiredCrls);
LOGGER.debug("Valid CRLs [{}] found that are not expired yet", crls);
revokedCrls = crls.stream().map(crl -> crl.getRevokedCertificate(cert)).filter(Objects::nonNull).collect(Collectors.toList());
if (revokedCrls.size() == crls.size()) {
final X509CRLEntry entry = revokedCrls.get(0);
LOGGER.warn("All CRL entries have been revoked. Rejecting the first entry [{}]", entry);
throw new RevokedCertificateException(entry);
}
}
}
Also used :
X509Certificate(java.security.cert.X509Certificate)
RevocationPolicy(org.apereo.cas.adaptors.x509.authentication.revocation.policy.RevocationPolicy)
X509CRLEntry(java.security.cert.X509CRLEntry)
Getter(lombok.Getter)
Collection(java.util.Collection)
X509CRL(java.security.cert.X509CRL)
Collectors(java.util.stream.Collectors)
RevokedCertificateException(org.apereo.cas.adaptors.x509.authentication.revocation.RevokedCertificateException)
CertUtils(org.apereo.cas.util.crypto.CertUtils)
ArrayList(java.util.ArrayList)
Objects(java.util.Objects)
Slf4j(lombok.extern.slf4j.Slf4j)
List(java.util.List)
DenyRevocationPolicy(org.apereo.cas.adaptors.x509.authentication.revocation.policy.DenyRevocationPolicy)
GeneralSecurityException(java.security.GeneralSecurityException)
ThresholdExpiredCRLRevocationPolicy(org.apereo.cas.adaptors.x509.authentication.revocation.policy.ThresholdExpiredCRLRevocationPolicy)
X509CRLEntry(java.security.cert.X509CRLEntry)
X509CRL(java.security.cert.X509CRL)
RevokedCertificateException(org.apereo.cas.adaptors.x509.authentication.revocation.RevokedCertificateException)
ArrayList(java.util.ArrayList)
Objects(java.util.Objects)
Example 13 with X509CRLEntry
use of java.security.cert.X509CRLEntry in project robovm by robovm.
the class X509CRLObject method getRevokedCertificate.
public X509CRLEntry getRevokedCertificate(BigInteger serialNumber) {
Enumeration certs = c.getRevokedCertificateEnumeration();
// the issuer
X500Name previousCertificateIssuer = null;
while (certs.hasMoreElements()) {
TBSCertList.CRLEntry entry = (TBSCertList.CRLEntry) certs.nextElement();
if (serialNumber.equals(entry.getUserCertificate().getValue())) {
return new X509CRLEntryObject(entry, isIndirect, previousCertificateIssuer);
}
if (isIndirect && entry.hasExtensions()) {
Extension currentCaName = entry.getExtensions().getExtension(Extension.certificateIssuer);
if (currentCaName != null) {
previousCertificateIssuer = X500Name.getInstance(GeneralNames.getInstance(currentCaName.getParsedValue()).getNames()[0].getName());
}
}
}
return null;
}
Also used :
Extension(org.bouncycastle.asn1.x509.Extension)
Enumeration(java.util.Enumeration)
TBSCertList(org.bouncycastle.asn1.x509.TBSCertList)
X500Name(org.bouncycastle.asn1.x500.X500Name)
X509CRLEntry(java.security.cert.X509CRLEntry)
Example 14 with X509CRLEntry
use of java.security.cert.X509CRLEntry in project jdk8u_jdk by JetBrains.
the class X509CRLImpl method toString.
/**
* Returns a printable string of this CRL.
*
* @return value of this CRL in a printable form.
*/
public String toString() {
StringBuffer sb = new StringBuffer();
sb.append("X.509 CRL v" + (version + 1) + "\n");
if (sigAlgId != null)
sb.append("Signature Algorithm: " + sigAlgId.toString() + ", OID=" + (sigAlgId.getOID()).toString() + "\n");
if (issuer != null)
sb.append("Issuer: " + issuer.toString() + "\n");
if (thisUpdate != null)
sb.append("\nThis Update: " + thisUpdate.toString() + "\n");
if (nextUpdate != null)
sb.append("Next Update: " + nextUpdate.toString() + "\n");
if (revokedList.isEmpty())
sb.append("\nNO certificates have been revoked\n");
else {
sb.append("\nRevoked Certificates: " + revokedList.size());
int i = 1;
for (X509CRLEntry entry : revokedList) {
sb.append("\n[" + i++ + "] " + entry.toString());
}
}
if (extensions != null) {
Collection<Extension> allExts = extensions.getAllExtensions();
Object[] objs = allExts.toArray();
sb.append("\nCRL Extensions: " + objs.length);
for (int i = 0; i < objs.length; i++) {
sb.append("\n[" + (i + 1) + "]: ");
Extension ext = (Extension) objs[i];
try {
if (OIDMap.getClass(ext.getExtensionId()) == null) {
sb.append(ext.toString());
byte[] extValue = ext.getExtensionValue();
if (extValue != null) {
DerOutputStream out = new DerOutputStream();
out.putOctetString(extValue);
extValue = out.toByteArray();
HexDumpEncoder enc = new HexDumpEncoder();
sb.append("Extension unknown: " + "DER encoded OCTET string =\n" + enc.encodeBuffer(extValue) + "\n");
}
} else
// sub-class exists
sb.append(ext.toString());
} catch (Exception e) {
sb.append(", Error parsing this extension");
}
}
}
if (signature != null) {
HexDumpEncoder encoder = new HexDumpEncoder();
sb.append("\nSignature:\n" + encoder.encodeBuffer(signature) + "\n");
} else
sb.append("NOT signed yet\n");
return sb.toString();
}
Also used :
X509CRLEntry(java.security.cert.X509CRLEntry)
HexDumpEncoder(sun.misc.HexDumpEncoder)
SignatureException(java.security.SignatureException)
IOException(java.io.IOException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
InvalidKeyException(java.security.InvalidKeyException)
CRLException(java.security.cert.CRLException)
NoSuchProviderException(java.security.NoSuchProviderException)
Example 15 with X509CRLEntry
use of java.security.cert.X509CRLEntry in project jdk8u_jdk by JetBrains.
the class X509CRLImpl method encodeInfo.
/**
* Encodes the "to-be-signed" CRL to the OutputStream.
*
* @param out the OutputStream to write to.
* @exception CRLException on encoding errors.
*/
public void encodeInfo(OutputStream out) throws CRLException {
try {
DerOutputStream tmp = new DerOutputStream();
DerOutputStream rCerts = new DerOutputStream();
DerOutputStream seq = new DerOutputStream();
if (// v2 crl encode version
version != 0)
tmp.putInteger(version);
infoSigAlgId.encode(tmp);
if ((version == 0) && (issuer.toString() == null))
throw new CRLException("Null Issuer DN not allowed in v1 CRL");
issuer.encode(tmp);
if (thisUpdate.getTime() < YR_2050)
tmp.putUTCTime(thisUpdate);
else
tmp.putGeneralizedTime(thisUpdate);
if (nextUpdate != null) {
if (nextUpdate.getTime() < YR_2050)
tmp.putUTCTime(nextUpdate);
else
tmp.putGeneralizedTime(nextUpdate);
}
if (!revokedList.isEmpty()) {
for (X509CRLEntry entry : revokedList) {
((X509CRLEntryImpl) entry).encode(rCerts);
}
tmp.write(DerValue.tag_Sequence, rCerts);
}
if (extensions != null)
extensions.encode(tmp, isExplicit);
seq.write(DerValue.tag_Sequence, tmp);
tbsCertList = seq.toByteArray();
out.write(tbsCertList);
} catch (IOException e) {
throw new CRLException("Encoding error: " + e.getMessage());
}
}
Also used :
X509CRLEntry(java.security.cert.X509CRLEntry)
IOException(java.io.IOException)
CRLException(java.security.cert.CRLException)
Aggregations
X509CRLEntry (java.security.cert.X509CRLEntry)16
IOException (java.io.IOException)6
CRLException (java.security.cert.CRLException)6
X509Certificate (java.security.cert.X509Certificate)5
X509CRL (java.security.cert.X509CRL)4
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)3
NoSuchProviderException (java.security.NoSuchProviderException)3
Enumeration (java.util.Enumeration)3
TBSCertList (org.bouncycastle.asn1.x509.TBSCertList)3
ByteArrayInputStream (java.io.ByteArrayInputStream)2
BigInteger (java.math.BigInteger)2
GeneralSecurityException (java.security.GeneralSecurityException)2
InvalidKeyException (java.security.InvalidKeyException)2
PrivateKey (java.security.PrivateKey)2
SignatureException (java.security.SignatureException)2
CertStoreException (java.security.cert.CertStoreException)2
Certificate (java.security.cert.Certificate)2
CertificateException (java.security.cert.CertificateException)2
CertificateFactory (java.security.cert.CertificateFactory)2
Date (java.util.Date)2
