Example 6 with CRLNumber
use of org.bouncycastle.asn1.x509.CRLNumber in project xipki by xipki.
the class X509CaCmpResponderImpl method cmpGeneralMsg.
// method cmpRevokeOrUnrevokeOrRemoveCertificates
private PKIBody cmpGeneralMsg(PKIHeaderBuilder respHeader, CmpControl cmpControl, PKIHeader reqHeader, PKIBody reqBody, CmpRequestorInfo requestor, ASN1OctetString tid, String msgId, AuditEvent event) throws InsuffientPermissionException {
GenMsgContent genMsgBody = GenMsgContent.getInstance(reqBody.getContent());
InfoTypeAndValue[] itvs = genMsgBody.toInfoTypeAndValueArray();
InfoTypeAndValue itv = null;
if (itvs != null && itvs.length > 0) {
for (InfoTypeAndValue entry : itvs) {
String itvType = entry.getInfoType().getId();
if (KNOWN_GENMSG_IDS.contains(itvType)) {
itv = entry;
break;
}
}
}
if (itv == null) {
String statusMessage = "PKIBody type " + PKIBody.TYPE_GEN_MSG + " is only supported with the sub-types " + KNOWN_GENMSG_IDS.toString();
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badRequest, statusMessage);
}
InfoTypeAndValue itvResp = null;
ASN1ObjectIdentifier infoType = itv.getInfoType();
int failureInfo;
try {
X509Ca ca = getCa();
if (CMPObjectIdentifiers.it_currentCRL.equals(infoType)) {
event.addEventType(CaAuditConstants.TYPE_CMP_genm_currentCrl);
checkPermission(requestor, PermissionConstants.GET_CRL);
CertificateList crl = ca.getBcCurrentCrl();
if (itv.getInfoValue() == null) {
// as defined in RFC 4210
crl = ca.getBcCurrentCrl();
} else {
// xipki extension
ASN1Integer crlNumber = ASN1Integer.getInstance(itv.getInfoValue());
crl = ca.getBcCrl(crlNumber.getPositiveValue());
}
if (crl == null) {
String statusMessage = "no CRL is available";
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.systemFailure, statusMessage);
}
itvResp = new InfoTypeAndValue(infoType, crl);
} else if (ObjectIdentifiers.id_xipki_cmp_cmpGenmsg.equals(infoType)) {
ASN1Encodable asn1 = itv.getInfoValue();
ASN1Integer asn1Code = null;
ASN1Encodable reqValue = null;
try {
ASN1Sequence seq = ASN1Sequence.getInstance(asn1);
asn1Code = ASN1Integer.getInstance(seq.getObjectAt(0));
if (seq.size() > 1) {
reqValue = seq.getObjectAt(1);
}
} catch (IllegalArgumentException ex) {
String statusMessage = "invalid value of the InfoTypeAndValue for " + ObjectIdentifiers.id_xipki_cmp_cmpGenmsg.getId();
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badRequest, statusMessage);
}
ASN1Encodable respValue;
int action = asn1Code.getPositiveValue().intValue();
switch(action) {
case XiSecurityConstants.CMP_ACTION_GEN_CRL:
event.addEventType(CaAuditConstants.TYPE_CMP_genm_genCrl);
checkPermission(requestor, PermissionConstants.GEN_CRL);
X509CRL tmpCrl = ca.generateCrlOnDemand(msgId);
if (tmpCrl == null) {
String statusMessage = "CRL generation is not activated";
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.systemFailure, statusMessage);
} else {
respValue = CertificateList.getInstance(tmpCrl.getEncoded());
}
break;
case XiSecurityConstants.CMP_ACTION_GET_CRL_WITH_SN:
event.addEventType(CaAuditConstants.TYPE_CMP_genm_crlForNumber);
checkPermission(requestor, PermissionConstants.GET_CRL);
ASN1Integer crlNumber = ASN1Integer.getInstance(reqValue);
respValue = ca.getBcCrl(crlNumber.getPositiveValue());
if (respValue == null) {
String statusMessage = "no CRL is available";
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.systemFailure, statusMessage);
}
break;
case XiSecurityConstants.CMP_ACTION_GET_CAINFO:
event.addEventType(CaAuditConstants.TYPE_CMP_genm_cainfo);
Set<Integer> acceptVersions = new HashSet<>();
if (reqValue != null) {
ASN1Sequence seq = DERSequence.getInstance(reqValue);
int size = seq.size();
for (int i = 0; i < size; i++) {
ASN1Integer ai = ASN1Integer.getInstance(seq.getObjectAt(i));
acceptVersions.add(ai.getPositiveValue().intValue());
}
}
if (CollectionUtil.isEmpty(acceptVersions)) {
acceptVersions.add(1);
}
String systemInfo = getSystemInfo(requestor, acceptVersions);
respValue = new DERUTF8String(systemInfo);
break;
default:
String statusMessage = "unsupported XiPKI action code '" + action + "'";
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.badRequest, statusMessage);
}
// end switch (action)
ASN1EncodableVector vec = new ASN1EncodableVector();
vec.add(asn1Code);
if (respValue != null) {
vec.add(respValue);
}
itvResp = new InfoTypeAndValue(infoType, new DERSequence(vec));
} else if (ObjectIdentifiers.id_xipki_cmp_cacerts.equals(infoType)) {
event.addEventType(CaAuditConstants.TYPE_CMP_genm_cacerts);
CMPCertificate caCert = ca.getCaInfo().getCertInCmpFormat();
itvResp = new InfoTypeAndValue(infoType, new DERSequence(caCert));
}
GenRepContent genRepContent = new GenRepContent(itvResp);
return new PKIBody(PKIBody.TYPE_GEN_REP, genRepContent);
} catch (OperationException ex) {
failureInfo = getPKiFailureInfo(ex);
ErrorCode code = ex.getErrorCode();
String errorMessage;
switch(code) {
case DATABASE_FAILURE:
case SYSTEM_FAILURE:
errorMessage = code.name();
break;
default:
errorMessage = code.name() + ": " + ex.getErrorMessage();
break;
}
return buildErrorMsgPkiBody(PKIStatus.rejection, failureInfo, errorMessage);
} catch (CRLException ex) {
String statusMessage = "CRLException: " + ex.getMessage();
return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.systemFailure, statusMessage);
}
}
Also used :
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
PKIBody(org.bouncycastle.asn1.cmp.PKIBody)
X509CRL(java.security.cert.X509CRL)
Set(java.util.Set)
HashSet(java.util.HashSet)
GenMsgContent(org.bouncycastle.asn1.cmp.GenMsgContent)
GenRepContent(org.bouncycastle.asn1.cmp.GenRepContent)
X509Ca(org.xipki.ca.server.impl.X509Ca)
CertificateList(org.bouncycastle.asn1.x509.CertificateList)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
ASN1Integer(org.bouncycastle.asn1.ASN1Integer)
CMPCertificate(org.bouncycastle.asn1.cmp.CMPCertificate)
ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence)
DERSequence(org.bouncycastle.asn1.DERSequence)
InfoTypeAndValue(org.bouncycastle.asn1.cmp.InfoTypeAndValue)
ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector)
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
ErrorCode(org.xipki.ca.api.OperationException.ErrorCode)
CRLException(java.security.cert.CRLException)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
OperationException(org.xipki.ca.api.OperationException)
Example 7 with CRLNumber
use of org.bouncycastle.asn1.x509.CRLNumber in project xipki by xipki.
the class X509Ca method getBcCrl.
public CertificateList getBcCrl(BigInteger crlNumber) throws OperationException {
LOG.info(" START getCrl: ca={}, crlNumber={}", caIdent, crlNumber);
boolean successful = false;
try {
byte[] encodedCrl = certstore.getEncodedCrl(caIdent, crlNumber);
if (encodedCrl == null) {
return null;
}
try {
CertificateList crl = CertificateList.getInstance(encodedCrl);
successful = true;
if (LOG.isInfoEnabled()) {
LOG.info("SUCCESSFUL getCrl: ca={}, thisUpdate={}", caIdent, crl.getThisUpdate().getTime());
}
return crl;
} catch (RuntimeException ex) {
throw new OperationException(ErrorCode.SYSTEM_FAILURE, ex);
}
} finally {
if (!successful) {
LOG.info(" FAILED getCrl: ca={}", caIdent);
}
}
}
Also used :
CertificateList(org.bouncycastle.asn1.x509.CertificateList)
OperationException(org.xipki.ca.api.OperationException)
Example 8 with CRLNumber
use of org.bouncycastle.asn1.x509.CRLNumber in project candlepin by candlepin.
the class X509CRLEntryStreamTest method testIterateOverEmptyCrl.
@Test
public void testIterateOverEmptyCrl() throws Exception {
X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuer, new Date());
AuthorityKeyIdentifier identifier = new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(keyPair.getPublic());
crlBuilder.addExtension(Extension.authorityKeyIdentifier, false, identifier);
crlBuilder.addExtension(Extension.cRLNumber, false, new CRLNumber(new BigInteger("127")));
X509CRLHolder holder = crlBuilder.build(signer);
File noUpdateTimeCrl = new File(folder.getRoot(), "test.crl");
FileUtils.writeByteArrayToFile(noUpdateTimeCrl, holder.getEncoded());
X509CRLEntryStream stream = new X509CRLEntryStream(noUpdateTimeCrl);
try {
Set<BigInteger> streamedSerials = new HashSet<>();
while (stream.hasNext()) {
streamedSerials.add(getSerial(stream.next()));
}
assertEquals(0, streamedSerials.size());
} finally {
stream.close();
}
}
Also used :
JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)
CRLNumber(org.bouncycastle.asn1.x509.CRLNumber)
X509CRLHolder(org.bouncycastle.cert.X509CRLHolder)
BigInteger(java.math.BigInteger)
X509v2CRLBuilder(org.bouncycastle.cert.X509v2CRLBuilder)
AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)
File(java.io.File)
Date(java.util.Date)
HashSet(java.util.HashSet)
Test(org.junit.Test)
Example 9 with CRLNumber
use of org.bouncycastle.asn1.x509.CRLNumber in project candlepin by candlepin.
the class BouncyCastlePKIUtility method createX509CRL.
@Override
public X509CRL createX509CRL(List<X509CRLEntryWrapper> entries, BigInteger crlNumber) {
try {
X509Certificate caCert = reader.getCACert();
X509v2CRLBuilder generator = new X509v2CRLBuilder(X500Name.getInstance(caCert.getIssuerX500Principal().getEncoded()), new Date());
generator.setNextUpdate(Util.addDaysToDt(config.getInt(ConfigProperties.CRL_NEXT_UPDATE_DELTA)));
// add all the CRL entries.
for (X509CRLEntryWrapper entry : entries) {
generator.addCRLEntry(entry.getSerialNumber(), entry.getRevocationDate(), CRLReason.privilegeWithdrawn);
}
log.info("Completed adding CRL numbers to the certificate.");
JcaX509ExtensionUtils extentionUtil = new JcaX509ExtensionUtils();
AuthorityKeyIdentifier aki = extentionUtil.createAuthorityKeyIdentifier(caCert);
generator.addExtension(Extension.authorityKeyIdentifier, false, aki.getEncoded());
generator.addExtension(Extension.cRLNumber, false, new CRLNumber(crlNumber));
JcaContentSignerBuilder builder = new JcaContentSignerBuilder(SIGNATURE_ALGO).setProvider(BC_PROVIDER);
ContentSigner signer;
try {
signer = builder.build(reader.getCaKey());
} catch (OperatorCreationException e) {
throw new IOException(e);
}
return new JcaX509CRLConverter().getCRL(generator.build(signer));
} catch (Exception e) {
throw new RuntimeException(e);
}
}
Also used :
JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)
X509CRLEntryWrapper(org.candlepin.pki.X509CRLEntryWrapper)
CRLNumber(org.bouncycastle.asn1.x509.CRLNumber)
JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)
ContentSigner(org.bouncycastle.operator.ContentSigner)
AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)
IOException(java.io.IOException)
X509Certificate(java.security.cert.X509Certificate)
Date(java.util.Date)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
GeneralSecurityException(java.security.GeneralSecurityException)
IOException(java.io.IOException)
JcaX509CRLConverter(org.bouncycastle.cert.jcajce.JcaX509CRLConverter)
X509v2CRLBuilder(org.bouncycastle.cert.X509v2CRLBuilder)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
Example 10 with CRLNumber
use of org.bouncycastle.asn1.x509.CRLNumber in project xipki by xipki.
the class CertStoreQueryExecutor method getEncodedCrl.
// method getSuspendedCertIds
byte[] getEncodedCrl(NameId ca, BigInteger crlNumber) throws DataAccessException {
ParamUtil.requireNonNull("ca", ca);
String sql = (crlNumber == null) ? sqls.sqlCrl : sqls.sqlCrlWithNo;
ResultSet rs = null;
PreparedStatement ps = borrowPreparedStatement(sql);
String b64Crl = null;
try {
int idx = 1;
ps.setInt(idx++, ca.getId());
if (crlNumber != null) {
ps.setLong(idx++, crlNumber.longValue());
}
rs = ps.executeQuery();
long currentThisUpdate = 0;
// iterate all entries to make sure that the latest CRL will be returned
while (rs.next()) {
long thisUpdate = rs.getLong("THISUPDATE");
if (thisUpdate >= currentThisUpdate) {
b64Crl = rs.getString("CRL");
currentThisUpdate = thisUpdate;
}
}
} catch (SQLException ex) {
throw datasource.translate(sql, ex);
} finally {
releaseDbResources(ps, rs);
}
return (b64Crl == null) ? null : Base64.decodeFast(b64Crl);
}
Also used :
SQLException(java.sql.SQLException)
ResultSet(java.sql.ResultSet)
PreparedStatement(java.sql.PreparedStatement)
DERPrintableString(org.bouncycastle.asn1.DERPrintableString)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
Aggregations
BigInteger (java.math.BigInteger)19
CRLNumber (org.bouncycastle.asn1.x509.CRLNumber)14
Date (java.util.Date)11
DEROctetString (org.bouncycastle.asn1.DEROctetString)10
X509CRL (java.security.cert.X509CRL)9
ASN1Integer (org.bouncycastle.asn1.ASN1Integer)9
X509v2CRLBuilder (org.bouncycastle.cert.X509v2CRLBuilder)9
CRLException (java.security.cert.CRLException)8
HashSet (java.util.HashSet)8
JcaX509ExtensionUtils (org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)8
AuthorityKeyIdentifier (org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)7
X509CRLHolder (org.bouncycastle.cert.X509CRLHolder)7
File (java.io.File)6
IOException (java.io.IOException)6
PreparedStatement (java.sql.PreparedStatement)6
SQLException (java.sql.SQLException)6
ASN1InputStream (org.bouncycastle.asn1.ASN1InputStream)6
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)6
ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)6
OperationException (org.xipki.ca.api.OperationException)5
