Example 31 with CRLNumber
use of org.bouncycastle.asn1.x509.CRLNumber in project candlepin by candlepin.
the class X509CRLStreamWriterTest method testAddEntryToBigCRL.
@Test
public void testAddEntryToBigCRL() throws Exception {
X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuer, new Date());
AuthorityKeyIdentifier identifier = new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(keyPair.getPublic());
crlBuilder.addExtension(Extension.authorityKeyIdentifier, false, identifier);
/* With a CRL number of 127, incrementing it should cause the number of bytes in the length
* portion of the TLV to increase by one.*/
crlBuilder.addExtension(Extension.cRLNumber, false, new CRLNumber(new BigInteger("127")));
BigInteger serial = new BigInteger("741696FE9E30AD27", 16);
Set<BigInteger> expected = new HashSet<>();
for (int i = 0; i < 10000; i++) {
serial = serial.add(BigInteger.TEN);
crlBuilder.addCRLEntry(serial, new Date(), CRLReason.privilegeWithdrawn);
expected.add(serial);
}
X509CRLHolder holder = crlBuilder.build(signer);
File crlToChange = writeCRL(holder);
File outfile = new File(folder.getRoot(), "new.crl");
X509CRLStreamWriter stream = new X509CRLStreamWriter(crlToChange, (RSAPrivateKey) keyPair.getPrivate(), (RSAPublicKey) keyPair.getPublic());
// Add enough items to cause the number of length bytes to change
Set<BigInteger> newSerials = new HashSet<>(Arrays.asList(new BigInteger("2358215310"), new BigInteger("7231352433"), new BigInteger("8233181205"), new BigInteger("1455615868"), new BigInteger("4323487764"), new BigInteger("6673256679")));
for (BigInteger i : newSerials) {
stream.add(i, new Date(), CRLReason.privilegeWithdrawn);
expected.add(i);
}
stream.preScan(crlToChange).lock();
OutputStream o = new BufferedOutputStream(new FileOutputStream(outfile));
stream.write(o);
o.close();
X509CRL changedCrl = readCRL();
Set<BigInteger> discoveredSerials = new HashSet<>();
for (X509CRLEntry entry : changedCrl.getRevokedCertificates()) {
discoveredSerials.add(entry.getSerialNumber());
}
assertEquals(expected, discoveredSerials);
}
Also used :
JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)
X509CRL(java.security.cert.X509CRL)
CRLNumber(org.bouncycastle.asn1.x509.CRLNumber)
BufferedOutputStream(java.io.BufferedOutputStream)
OutputStream(java.io.OutputStream)
FileOutputStream(java.io.FileOutputStream)
AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)
Date(java.util.Date)
X509CRLEntry(java.security.cert.X509CRLEntry)
FileOutputStream(java.io.FileOutputStream)
X509CRLHolder(org.bouncycastle.cert.X509CRLHolder)
BigInteger(java.math.BigInteger)
X509v2CRLBuilder(org.bouncycastle.cert.X509v2CRLBuilder)
File(java.io.File)
BufferedOutputStream(java.io.BufferedOutputStream)
HashSet(java.util.HashSet)
Test(org.junit.Test)
Example 32 with CRLNumber
use of org.bouncycastle.asn1.x509.CRLNumber in project candlepin by candlepin.
the class X509CRLStreamWriterTest method testAddEntryToEmptyCRL.
@Test
public void testAddEntryToEmptyCRL() throws Exception {
Date oneHourAgo = new Date(new Date().getTime() - 60L * 60L * 1000L);
Date oneHourHence = new Date(new Date().getTime() + 60L * 60L * 1000L);
X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuer, oneHourAgo);
AuthorityKeyIdentifier identifier = new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(keyPair.getPublic());
crlBuilder.addExtension(Extension.authorityKeyIdentifier, false, identifier);
/* With a CRL number of 127, incrementing it should cause the number of bytes in the length
* portion of the TLV to increase by one.*/
crlBuilder.addExtension(Extension.cRLNumber, false, new CRLNumber(new BigInteger("127")));
crlBuilder.setNextUpdate(oneHourHence);
X509CRLHolder holder = crlBuilder.build(signer);
File crlToChange = writeCRL(holder);
File outfile = new File(folder.getRoot(), "new.crl");
X509CRLStreamWriter stream = new X509CRLStreamWriter(crlToChange, (RSAPrivateKey) keyPair.getPrivate(), (RSAPublicKey) keyPair.getPublic());
// Add enough items to cause the number of length bytes to change
Set<BigInteger> newSerials = new HashSet<>(Arrays.asList(new BigInteger("2358215310"), new BigInteger("7231352433"), new BigInteger("8233181205"), new BigInteger("1455615868"), new BigInteger("4323487764"), new BigInteger("6673256679")));
for (BigInteger i : newSerials) {
stream.add(i, new Date(), CRLReason.privilegeWithdrawn);
}
stream.preScan(crlToChange).lock();
OutputStream o = new BufferedOutputStream(new FileOutputStream(outfile));
stream.write(o);
o.close();
X509CRL changedCrl = readCRL();
Set<BigInteger> discoveredSerials = new HashSet<>();
for (X509CRLEntry entry : changedCrl.getRevokedCertificates()) {
discoveredSerials.add(entry.getSerialNumber());
}
X509CRL originalCrl = new JcaX509CRLConverter().setProvider(BC_PROVIDER).getCRL(holder);
assertNotNull(changedCrl.getNextUpdate());
long changedCrlUpdateDelta = changedCrl.getNextUpdate().getTime() - changedCrl.getThisUpdate().getTime();
assertEquals(changedCrlUpdateDelta, oneHourHence.getTime() - oneHourAgo.getTime());
assertThat(changedCrl.getThisUpdate(), OrderingComparison.greaterThan(originalCrl.getThisUpdate()));
assertEquals(newSerials, discoveredSerials);
assertEquals(originalCrl.getIssuerX500Principal(), changedCrl.getIssuerX500Principal());
ASN1ObjectIdentifier crlNumberOID = Extension.cRLNumber;
byte[] oldCrlNumberBytes = originalCrl.getExtensionValue(crlNumberOID.getId());
byte[] newCrlNumberBytes = changedCrl.getExtensionValue(crlNumberOID.getId());
DEROctetString oldOctet = (DEROctetString) DERTaggedObject.fromByteArray(oldCrlNumberBytes);
DEROctetString newOctet = (DEROctetString) DERTaggedObject.fromByteArray(newCrlNumberBytes);
ASN1Integer oldNumber = (ASN1Integer) DERTaggedObject.fromByteArray(oldOctet.getOctets());
ASN1Integer newNumber = (ASN1Integer) DERTaggedObject.fromByteArray(newOctet.getOctets());
assertEquals(oldNumber.getValue().add(BigInteger.ONE), newNumber.getValue());
ASN1ObjectIdentifier authorityKeyOID = Extension.authorityKeyIdentifier;
byte[] oldAuthorityKeyId = originalCrl.getExtensionValue(authorityKeyOID.getId());
byte[] newAuthorityKeyId = changedCrl.getExtensionValue(authorityKeyOID.getId());
assertArrayEquals(oldAuthorityKeyId, newAuthorityKeyId);
}
Also used :
JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)
X509CRL(java.security.cert.X509CRL)
CRLNumber(org.bouncycastle.asn1.x509.CRLNumber)
BufferedOutputStream(java.io.BufferedOutputStream)
OutputStream(java.io.OutputStream)
FileOutputStream(java.io.FileOutputStream)
AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)
ASN1Integer(org.bouncycastle.asn1.ASN1Integer)
Date(java.util.Date)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
X509CRLEntry(java.security.cert.X509CRLEntry)
JcaX509CRLConverter(org.bouncycastle.cert.jcajce.JcaX509CRLConverter)
FileOutputStream(java.io.FileOutputStream)
X509CRLHolder(org.bouncycastle.cert.X509CRLHolder)
BigInteger(java.math.BigInteger)
X509v2CRLBuilder(org.bouncycastle.cert.X509v2CRLBuilder)
File(java.io.File)
BufferedOutputStream(java.io.BufferedOutputStream)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
HashSet(java.util.HashSet)
Test(org.junit.Test)
Example 33 with CRLNumber
use of org.bouncycastle.asn1.x509.CRLNumber in project candlepin by candlepin.
the class X509CRLStreamWriterTest method createCRLBuilder.
private X509v2CRLBuilder createCRLBuilder() throws Exception {
X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuer, new Date());
AuthorityKeyIdentifier identifier = new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(keyPair.getPublic());
crlBuilder.addExtension(Extension.authorityKeyIdentifier, false, identifier);
/* With a CRL number of 127, incrementing it should cause the number of bytes in the length
* portion of the TLV to increase by one.*/
crlBuilder.addExtension(Extension.cRLNumber, false, new CRLNumber(new BigInteger("127")));
crlBuilder.addCRLEntry(new BigInteger("100"), new Date(), CRLReason.unspecified);
return crlBuilder;
}
Also used :
JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)
CRLNumber(org.bouncycastle.asn1.x509.CRLNumber)
BigInteger(java.math.BigInteger)
X509v2CRLBuilder(org.bouncycastle.cert.X509v2CRLBuilder)
AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)
Date(java.util.Date)
Example 34 with CRLNumber
use of org.bouncycastle.asn1.x509.CRLNumber in project candlepin by candlepin.
the class X509CRLEntryStreamTest method testCRLwithoutUpdateTime.
@Test
public void testCRLwithoutUpdateTime() throws Exception {
X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuer, new Date());
AuthorityKeyIdentifier identifier = new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(keyPair.getPublic());
crlBuilder.addExtension(Extension.authorityKeyIdentifier, false, identifier);
crlBuilder.addExtension(Extension.cRLNumber, false, new CRLNumber(new BigInteger("127")));
crlBuilder.addCRLEntry(new BigInteger("100"), new Date(), CRLReason.unspecified);
X509CRLHolder holder = crlBuilder.build(signer);
File noUpdateTimeCrl = new File(folder.getRoot(), "test.crl");
FileUtils.writeByteArrayToFile(noUpdateTimeCrl, holder.getEncoded());
X509CRLEntryStream stream = new X509CRLEntryStream(noUpdateTimeCrl);
try {
Set<BigInteger> streamedSerials = new HashSet<>();
while (stream.hasNext()) {
streamedSerials.add(getSerial(stream.next()));
}
assertEquals(1, streamedSerials.size());
assertTrue(streamedSerials.contains(new BigInteger("100")));
} finally {
stream.close();
}
}
Also used :
JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)
CRLNumber(org.bouncycastle.asn1.x509.CRLNumber)
X509CRLHolder(org.bouncycastle.cert.X509CRLHolder)
BigInteger(java.math.BigInteger)
X509v2CRLBuilder(org.bouncycastle.cert.X509v2CRLBuilder)
AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)
File(java.io.File)
Date(java.util.Date)
HashSet(java.util.HashSet)
Test(org.junit.Test)
Example 35 with CRLNumber
use of org.bouncycastle.asn1.x509.CRLNumber in project wso2-synapse by wso2.
the class CRLVerifierTest method createCRL.
/**
* Creates a fake CRL for the fake CA. The fake certificate with the given revokedSerialNumber will be marked
* as Revoked in the returned CRL.
* @param caCert the fake CA certificate.
* @param caPrivateKey private key of the fake CA.
* @param revokedSerialNumber the serial number of the fake peer certificate made to be marked as revoked.
* @return the created fake CRL
* @throws Exception
*/
public static X509CRL createCRL(X509Certificate caCert, PrivateKey caPrivateKey, BigInteger revokedSerialNumber) throws Exception {
JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils();
Date now = new Date();
X500Name issuer = X500Name.getInstance(PrincipalUtil.getIssuerX509Principal(caCert).getEncoded());
X509v2CRLBuilder builder = new X509v2CRLBuilder(issuer, new Date());
builder.addCRLEntry(revokedSerialNumber, new Date(), 0);
builder.setNextUpdate(new Date(now.getTime() + TestConstants.NEXT_UPDATE_PERIOD));
builder.addExtension(Extension.cRLDistributionPoints, false, extUtils.createAuthorityKeyIdentifier(caCert));
builder.addExtension(Extension.cRLNumber, false, new CRLNumber(BigInteger.valueOf(1)));
JcaContentSignerBuilder contentSignerBuilder = new JcaContentSignerBuilder("SHA256WithRSAEncryption");
contentSignerBuilder.setProvider(CryptoConstants.BOUNCY_CASTLE_PROVIDER);
X509CRLHolder cRLHolder = builder.build(contentSignerBuilder.build(caPrivateKey));
JcaX509CRLConverter converter = new JcaX509CRLConverter();
converter.setProvider(CryptoConstants.BOUNCY_CASTLE_PROVIDER);
return converter.getCRL(cRLHolder);
}
Also used :
JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)
JcaX509CRLConverter(org.bouncycastle.cert.jcajce.JcaX509CRLConverter)
CRLNumber(org.bouncycastle.asn1.x509.CRLNumber)
JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)
X509CRLHolder(org.bouncycastle.cert.X509CRLHolder)
X509v2CRLBuilder(org.bouncycastle.cert.X509v2CRLBuilder)
X500Name(org.bouncycastle.asn1.x500.X500Name)
Date(java.util.Date)
Aggregations
BigInteger (java.math.BigInteger)23
CRLNumber (org.bouncycastle.asn1.x509.CRLNumber)17
Date (java.util.Date)14
X509v2CRLBuilder (org.bouncycastle.cert.X509v2CRLBuilder)13
X509CRLHolder (org.bouncycastle.cert.X509CRLHolder)12
CRLException (java.security.cert.CRLException)10
ASN1Integer (org.bouncycastle.asn1.ASN1Integer)10
DEROctetString (org.bouncycastle.asn1.DEROctetString)10
JcaX509ExtensionUtils (org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)10
X509CRL (java.security.cert.X509CRL)9
IOException (java.io.IOException)8
HashSet (java.util.HashSet)8
X500Name (org.bouncycastle.asn1.x500.X500Name)8
AuthorityKeyIdentifier (org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)7
JcaX509CRLConverter (org.bouncycastle.cert.jcajce.JcaX509CRLConverter)7
File (java.io.File)6
PreparedStatement (java.sql.PreparedStatement)6
SQLException (java.sql.SQLException)6
ASN1InputStream (org.bouncycastle.asn1.ASN1InputStream)6
ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)6
