Example 1 with ReasonFlags
use of org.bouncycastle.asn1.x509.ReasonFlags in project keystore-explorer by kaikramer.
the class X509Ext method getReasonFlagsStrings.
private String[] getReasonFlagsStrings(ReasonFlags reasonFlags) throws IOException {
// @formatter:off
/*
* ReasonFlags ::= BIT STRING { unused(0), keyCompromise(1),
* cACompromise(2), affiliationChanged(3), superseded(4),
* cessationOfOperation(5), certificateHold(6), privilegeWithdrawn(7),
* aACompromise(8)}
*/
// @formatter:on
List<String> reasonFlagsList = new ArrayList<String>();
DERBitString reasonFlagsBitString = (DERBitString) reasonFlags.toASN1Primitive();
int reasonFlagsInt = reasonFlagsBitString.intValue();
// Go through bit string adding reason flags found to be true
if (hasReasonFlag(reasonFlagsInt, ReasonFlags.unused)) {
reasonFlagsList.add(res.getString("UnusedReasonFlag"));
}
if (hasReasonFlag(reasonFlagsInt, ReasonFlags.keyCompromise)) {
reasonFlagsList.add(res.getString("KeyCompromiseReasonFlag"));
}
if (hasReasonFlag(reasonFlagsInt, ReasonFlags.cACompromise)) {
reasonFlagsList.add(res.getString("CaCompromiseReasonFlag"));
}
if (hasReasonFlag(reasonFlagsInt, ReasonFlags.affiliationChanged)) {
reasonFlagsList.add(res.getString("AffiliationChangedReasonFlag"));
}
if (hasReasonFlag(reasonFlagsInt, ReasonFlags.superseded)) {
reasonFlagsList.add(res.getString("SupersededReasonFlag"));
}
if (hasReasonFlag(reasonFlagsInt, ReasonFlags.cessationOfOperation)) {
reasonFlagsList.add(res.getString("CessationOfOperationReasonFlag"));
}
if (hasReasonFlag(reasonFlagsInt, ReasonFlags.certificateHold)) {
reasonFlagsList.add(res.getString("CertificateHoldReasonFlag"));
}
if (hasReasonFlag(reasonFlagsInt, ReasonFlags.privilegeWithdrawn)) {
reasonFlagsList.add(res.getString("PrivilegeWithdrawnReasonFlag"));
}
if (hasReasonFlag(reasonFlagsInt, ReasonFlags.aACompromise)) {
reasonFlagsList.add(res.getString("AaCompromiseReasonFlag"));
}
return reasonFlagsList.toArray(new String[reasonFlagsList.size()]);
}
Also used :
ArrayList(java.util.ArrayList)
DERBitString(org.bouncycastle.asn1.DERBitString)
DERBitString(org.bouncycastle.asn1.DERBitString)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DERBMPString(org.bouncycastle.asn1.DERBMPString)
DERGeneralString(org.bouncycastle.asn1.DERGeneralString)
DirectoryString(org.bouncycastle.asn1.x500.DirectoryString)
DERPrintableString(org.bouncycastle.asn1.DERPrintableString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)
Example 2 with ReasonFlags
use of org.bouncycastle.asn1.x509.ReasonFlags in project certmgr by hdecarne.
the class DistributionPoint method decode.
/**
* Decode {@code DistributionPoint} object from an ASN.1 data object.
*
* @param primitive The ASN.1 data object to decode.
* @return The decoded distribution point object.
* @throws IOException if an I/O error occurs during decoding.
*/
public static DistributionPoint decode(ASN1Primitive primitive) throws IOException {
ASN1Primitive[] sequence = decodeSequence(primitive, 1, Integer.MAX_VALUE);
DistributionPointName name = null;
ReasonFlags reasons = null;
GeneralNames crlIssuer = null;
for (ASN1Primitive sequenceEntry : sequence) {
ASN1TaggedObject taggedObject = decodePrimitive(sequenceEntry, ASN1TaggedObject.class);
int taggedObjectTag = taggedObject.getTagNo();
switch(taggedObjectTag) {
case 0:
name = DistributionPointName.decode(taggedObject.getObject());
break;
case 1:
reasons = ReasonFlags.decode(taggedObject.getObject());
break;
case 2:
crlIssuer = GeneralNames.decode(taggedObject.getObject());
break;
default:
throw new IOException("Unsupported tag: " + taggedObjectTag);
}
}
return new DistributionPoint(name, crlIssuer, reasons);
}
Also used :
ASN1TaggedObject(org.bouncycastle.asn1.ASN1TaggedObject)
IOException(java.io.IOException)
ASN1Primitive(org.bouncycastle.asn1.ASN1Primitive)
Example 3 with ReasonFlags
use of org.bouncycastle.asn1.x509.ReasonFlags in project jdk8u_jdk by JetBrains.
the class NamedBitList method main.
public static void main(String[] args) throws Exception {
boolean[] bb = (new boolean[] { true, false, true, false, false, false });
GeneralNames gns = new GeneralNames();
gns.add(new GeneralName(new DNSName("dns")));
DerOutputStream out;
// length should be 5 since only {T,F,T} should be encoded
KeyUsageExtension x1 = new KeyUsageExtension(bb);
check(new DerValue(x1.getExtensionValue()).getUnalignedBitString().length(), 3);
NetscapeCertTypeExtension x2 = new NetscapeCertTypeExtension(bb);
check(new DerValue(x2.getExtensionValue()).getUnalignedBitString().length(), 3);
ReasonFlags r = new ReasonFlags(bb);
out = new DerOutputStream();
r.encode(out);
check(new DerValue(out.toByteArray()).getUnalignedBitString().length(), 3);
// Read sun.security.x509.DistributionPoint for ASN.1 definition
DistributionPoint dp = new DistributionPoint(gns, bb, gns);
out = new DerOutputStream();
dp.encode(out);
DerValue v = new DerValue(out.toByteArray());
// skip distributionPoint
v.data.getDerValue();
// read reasons
DerValue v2 = v.data.getDerValue();
// reset to BitString since it's context-specfic[1] encoded
v2.resetTag(DerValue.tag_BitString);
// length should be 5 since only {T,F,T} should be encoded
check(v2.getUnalignedBitString().length(), 3);
BitArray ba;
ba = new BitArray(new boolean[] { false, false, false });
check(ba.length(), 3);
ba = ba.truncate();
check(ba.length(), 1);
ba = new BitArray(new boolean[] { true, true, true, true, true, true, true, true, false, false });
check(ba.length(), 10);
check(ba.toByteArray().length, 2);
ba = ba.truncate();
check(ba.length(), 8);
check(ba.toByteArray().length, 1);
ba = new BitArray(new boolean[] { true, true, true, true, true, true, true, true, true, false });
check(ba.length(), 10);
check(ba.toByteArray().length, 2);
ba = ba.truncate();
check(ba.length(), 9);
check(ba.toByteArray().length, 2);
}
Also used :
GeneralNames(sun.security.x509.GeneralNames)
DerOutputStream(sun.security.util.DerOutputStream)
ReasonFlags(sun.security.x509.ReasonFlags)
DerValue(sun.security.util.DerValue)
GeneralName(sun.security.x509.GeneralName)
DistributionPoint(sun.security.x509.DistributionPoint)
BitArray(sun.security.util.BitArray)
DNSName(sun.security.x509.DNSName)
NetscapeCertTypeExtension(sun.security.x509.NetscapeCertTypeExtension)
KeyUsageExtension(sun.security.x509.KeyUsageExtension)
Example 4 with ReasonFlags
use of org.bouncycastle.asn1.x509.ReasonFlags in project xipki by xipki.
the class X509Ca method generateCrl0.
private X509CRL generateCrl0(boolean deltaCrl, Date thisUpdate, Date nextUpdate, AuditEvent event, String msgId) throws OperationException {
X509CrlSignerEntryWrapper crlSigner = getCrlSigner();
if (crlSigner == null) {
throw new OperationException(ErrorCode.NOT_PERMITTED, "CRL generation is not allowed");
}
LOG.info(" START generateCrl: ca={}, deltaCRL={}, nextUpdate={}", caIdent, deltaCrl, nextUpdate);
event.addEventData(CaAuditConstants.NAME_crlType, deltaCrl ? "DELTA_CRL" : "FULL_CRL");
if (nextUpdate == null) {
event.addEventData(CaAuditConstants.NAME_nextUpdate, "null");
} else {
event.addEventData(CaAuditConstants.NAME_nextUpdate, DateUtil.toUtcTimeyyyyMMddhhmmss(nextUpdate));
if (nextUpdate.getTime() - thisUpdate.getTime() < 10 * 60 * MS_PER_SECOND) {
// less than 10 minutes
throw new OperationException(ErrorCode.CRL_FAILURE, "nextUpdate and thisUpdate are too close");
}
}
CrlControl crlControl = crlSigner.getCrlControl();
boolean successful = false;
try {
ConcurrentContentSigner tmpCrlSigner = crlSigner.getSigner();
CrlControl control = crlSigner.getCrlControl();
boolean directCrl;
X500Name crlIssuer;
if (tmpCrlSigner == null) {
directCrl = true;
crlIssuer = caInfo.getPublicCaInfo().getX500Subject();
} else {
directCrl = false;
crlIssuer = X500Name.getInstance(tmpCrlSigner.getCertificate().getSubjectX500Principal().getEncoded());
}
X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(crlIssuer, thisUpdate);
if (nextUpdate != null) {
crlBuilder.setNextUpdate(nextUpdate);
}
final int numEntries = 100;
Date notExpireAt;
if (control.isIncludeExpiredCerts()) {
notExpireAt = new Date(0);
} else {
// 10 minutes buffer
notExpireAt = new Date(thisUpdate.getTime() - 600L * MS_PER_SECOND);
}
long startId = 1;
// we have to cache the serial entries to sort them
List<CertRevInfoWithSerial> allRevInfos = new LinkedList<>();
List<CertRevInfoWithSerial> revInfos;
do {
if (deltaCrl) {
revInfos = certstore.getCertsForDeltaCrl(caIdent, startId, numEntries, control.isOnlyContainsCaCerts(), control.isOnlyContainsUserCerts());
} else {
revInfos = certstore.getRevokedCerts(caIdent, notExpireAt, startId, numEntries, control.isOnlyContainsCaCerts(), control.isOnlyContainsUserCerts());
}
allRevInfos.addAll(revInfos);
long maxId = 1;
for (CertRevInfoWithSerial revInfo : revInfos) {
if (revInfo.getId() > maxId) {
maxId = revInfo.getId();
}
}
// end for
startId = maxId + 1;
} while (// end do
revInfos.size() >= numEntries);
if (revInfos != null) {
// free the memory
revInfos.clear();
}
// sort the list by SerialNumber ASC
Collections.sort(allRevInfos);
boolean isFirstCrlEntry = true;
for (CertRevInfoWithSerial revInfo : allRevInfos) {
CrlReason reason = revInfo.getReason();
if (crlControl.isExcludeReason() && reason != CrlReason.REMOVE_FROM_CRL) {
reason = CrlReason.UNSPECIFIED;
}
Date revocationTime = revInfo.getRevocationTime();
Date invalidityTime = revInfo.getInvalidityTime();
switch(crlControl.getInvalidityDateMode()) {
case FORBIDDEN:
invalidityTime = null;
break;
case OPTIONAL:
break;
case REQUIRED:
if (invalidityTime == null) {
invalidityTime = revocationTime;
}
break;
default:
throw new RuntimeException("unknown TripleState: " + crlControl.getInvalidityDateMode());
}
BigInteger serial = revInfo.getSerial();
LOG.debug("added cert ca={} serial={} to CRL", caIdent, serial);
if (directCrl || !isFirstCrlEntry) {
if (invalidityTime != null) {
crlBuilder.addCRLEntry(serial, revocationTime, reason.getCode(), invalidityTime);
} else {
crlBuilder.addCRLEntry(serial, revocationTime, reason.getCode());
}
continue;
}
List<Extension> extensions = new ArrayList<>(3);
if (reason != CrlReason.UNSPECIFIED) {
Extension ext = createReasonExtension(reason.getCode());
extensions.add(ext);
}
if (invalidityTime != null) {
Extension ext = createInvalidityDateExtension(invalidityTime);
extensions.add(ext);
}
Extension ext = createCertificateIssuerExtension(caInfo.getPublicCaInfo().getX500Subject());
extensions.add(ext);
crlBuilder.addCRLEntry(serial, revocationTime, new Extensions(extensions.toArray(new Extension[0])));
isFirstCrlEntry = false;
}
// free the memory
allRevInfos.clear();
BigInteger crlNumber = caInfo.nextCrlNumber();
event.addEventData(CaAuditConstants.NAME_crlNumber, crlNumber);
boolean onlyUserCerts = crlControl.isOnlyContainsUserCerts();
boolean onlyCaCerts = crlControl.isOnlyContainsCaCerts();
if (onlyUserCerts && onlyCaCerts) {
throw new RuntimeException("should not reach here, onlyUserCerts and onlyCACerts are both true");
}
try {
// AuthorityKeyIdentifier
byte[] akiValues = directCrl ? caInfo.getPublicCaInfo().getSubjectKeyIdentifer() : crlSigner.getSubjectKeyIdentifier();
AuthorityKeyIdentifier aki = new AuthorityKeyIdentifier(akiValues);
crlBuilder.addExtension(Extension.authorityKeyIdentifier, false, aki);
// add extension CRL Number
crlBuilder.addExtension(Extension.cRLNumber, false, new ASN1Integer(crlNumber));
// IssuingDistributionPoint
if (onlyUserCerts || onlyCaCerts || !directCrl) {
IssuingDistributionPoint idp = new IssuingDistributionPoint(// distributionPoint,
(DistributionPointName) null, // onlyContainsUserCerts,
onlyUserCerts, // onlyContainsCACerts,
onlyCaCerts, // onlySomeReasons,
(ReasonFlags) null, // indirectCRL,
!directCrl, // onlyContainsAttributeCerts
false);
crlBuilder.addExtension(Extension.issuingDistributionPoint, true, idp);
}
// freshestCRL
List<String> deltaCrlUris = getCaInfo().getPublicCaInfo().getDeltaCrlUris();
if (control.getDeltaCrlIntervals() > 0 && CollectionUtil.isNonEmpty(deltaCrlUris)) {
CRLDistPoint cdp = CaUtil.createCrlDistributionPoints(deltaCrlUris, caInfo.getPublicCaInfo().getX500Subject(), crlIssuer);
crlBuilder.addExtension(Extension.freshestCRL, false, cdp);
}
} catch (CertIOException ex) {
LogUtil.error(LOG, ex, "crlBuilder.addExtension");
throw new OperationException(ErrorCode.INVALID_EXTENSION, ex);
}
addXipkiCertset(crlBuilder, deltaCrl, control, notExpireAt, onlyCaCerts, onlyUserCerts);
ConcurrentContentSigner concurrentSigner = (tmpCrlSigner == null) ? caInfo.getSigner(null) : tmpCrlSigner;
ConcurrentBagEntrySigner signer0;
try {
signer0 = concurrentSigner.borrowSigner();
} catch (NoIdleSignerException ex) {
throw new OperationException(ErrorCode.SYSTEM_FAILURE, "NoIdleSignerException: " + ex.getMessage());
}
X509CRLHolder crlHolder;
try {
crlHolder = crlBuilder.build(signer0.value());
} finally {
concurrentSigner.requiteSigner(signer0);
}
try {
X509CRL crl = X509Util.toX509Crl(crlHolder.toASN1Structure());
caInfo.getCaEntry().setNextCrlNumber(crlNumber.longValue() + 1);
caManager.commitNextCrlNo(caIdent, caInfo.getCaEntry().getNextCrlNumber());
publishCrl(crl);
successful = true;
LOG.info("SUCCESSFUL generateCrl: ca={}, crlNumber={}, thisUpdate={}", caIdent, crlNumber, crl.getThisUpdate());
if (!deltaCrl) {
// clean up the CRL
cleanupCrlsWithoutException(msgId);
}
return crl;
} catch (CRLException | CertificateException ex) {
throw new OperationException(ErrorCode.CRL_FAILURE, ex);
}
} finally {
if (!successful) {
LOG.info(" FAILED generateCrl: ca={}", caIdent);
}
}
}
Also used :
CrlControl(org.xipki.ca.server.mgmt.api.x509.CrlControl)
IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint)
X509CRL(java.security.cert.X509CRL)
ArrayList(java.util.ArrayList)
AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)
CertificateException(java.security.cert.CertificateException)
X500Name(org.bouncycastle.asn1.x500.X500Name)
DERPrintableString(org.bouncycastle.asn1.DERPrintableString)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
Extensions(org.bouncycastle.asn1.x509.Extensions)
NoIdleSignerException(org.xipki.security.exception.NoIdleSignerException)
X509v2CRLBuilder(org.bouncycastle.cert.X509v2CRLBuilder)
CrlReason(org.xipki.security.CrlReason)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
CRLException(java.security.cert.CRLException)
OperationException(org.xipki.ca.api.OperationException)
ASN1Integer(org.bouncycastle.asn1.ASN1Integer)
CertIOException(org.bouncycastle.cert.CertIOException)
ConcurrentBagEntrySigner(org.xipki.security.ConcurrentBagEntrySigner)
IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
Date(java.util.Date)
LinkedList(java.util.LinkedList)
Extension(org.bouncycastle.asn1.x509.Extension)
ConcurrentContentSigner(org.xipki.security.ConcurrentContentSigner)
X509CRLHolder(org.bouncycastle.cert.X509CRLHolder)
BigInteger(java.math.BigInteger)
Example 5 with ReasonFlags
use of org.bouncycastle.asn1.x509.ReasonFlags in project certmgr by hdecarne.
the class ASN1DataTest method testReasonFlags.
/**
* Test encoding & decoding of {@link ReasonFlags} object.
*/
@Test
public void testReasonFlags() {
try {
ReasonFlags in = new ReasonFlags(ReasonFlag.instances());
byte[] inEncoded = in.getEncoded();
ReasonFlags out = ReasonFlags.decode(decodeBytes(inEncoded));
byte[] outEncoded = out.getEncoded();
Assert.assertArrayEquals(inEncoded, outEncoded);
} catch (IOException e) {
e.printStackTrace();
Assert.fail(e.getLocalizedMessage());
}
}
Also used :
ReasonFlags(de.carne.certmgr.certs.x509.ReasonFlags)
IOException(java.io.IOException)
Test(org.junit.Test)
Aggregations
DERPrintableString (org.bouncycastle.asn1.DERPrintableString)4
ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)3
DERBMPString (org.bouncycastle.asn1.DERBMPString)3
DERBitString (org.bouncycastle.asn1.DERBitString)3
DERGeneralString (org.bouncycastle.asn1.DERGeneralString)3
DERIA5String (org.bouncycastle.asn1.DERIA5String)3
DirectoryString (org.bouncycastle.asn1.x500.DirectoryString)3
IssuingDistributionPoint (org.bouncycastle.asn1.x509.IssuingDistributionPoint)3
IOException (java.io.IOException)2
ArrayList (java.util.ArrayList)2
CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)2
DistributionPointName (org.bouncycastle.asn1.x509.DistributionPointName)2
ReasonFlags (org.bouncycastle.asn1.x509.ReasonFlags)2
ReasonFlags (de.carne.certmgr.certs.x509.ReasonFlags)1
BigInteger (java.math.BigInteger)1
CRLException (java.security.cert.CRLException)1
CertificateException (java.security.cert.CertificateException)1
X509CRL (java.security.cert.X509CRL)1
Date (java.util.Date)1
LinkedList (java.util.LinkedList)1
