Example 11 with CRLEntry
use of org.bouncycastle.asn1.x509.TBSCertList.CRLEntry in project candlepin by candlepin.
the class CrlFileUtil method updateCRLFile.
/**
* Updates the specified CRL file by adding or removing entries. If both lists are either null
* or empty, the CRL file will not be modified by this method. If the file does not exist or
* appears to be empty, it will be initialized before processing the lists.
*
* @param file
* The CRL file to update
*
* @param revoke
* A collection of serials to revoke (add)
*
* @param unrevoke
* A collection of serials to unrevoke (remove)
*
* @throws IOException
* if an IO error occurs while updating the CRL file
*/
public void updateCRLFile(File file, final Collection<BigInteger> revoke, final Collection<BigInteger> unrevoke) throws IOException {
if (!file.exists() || file.length() == 0) {
this.initializeCRLFile(file, revoke);
return;
}
File strippedFile = stripCRLFile(file);
InputStream input = null;
InputStream reaper = null;
BufferedOutputStream output = null;
OutputStream filter = null;
OutputStream encoder = null;
try {
// Impl note:
// Due to the way the X509CRLStreamWriter works (and the DER format in general), we have
// to make two passes through the file.
input = new Base64InputStream(new FileInputStream(strippedFile));
reaper = new Base64InputStream(new FileInputStream(strippedFile));
// Note: This will break if we ever stop using RSA keys
PrivateKey key = this.certificateReader.getCaKey();
X509CRLStreamWriter writer = new X509CRLStreamWriter(input, (RSAPrivateKey) key, this.certificateReader.getCACert());
// Add new entries
if (revoke != null) {
Date now = new Date();
for (BigInteger serial : revoke) {
writer.add(serial, now, CRLReason.privilegeWithdrawn);
}
}
// or we could miss cases where we have entries to remove, but nothing to add.
if (unrevoke != null && !unrevoke.isEmpty()) {
writer.preScan(reaper, new CRLEntryValidator() {
public boolean shouldDelete(CRLEntry entry) {
BigInteger certSerial = entry.getUserCertificate().getValue();
return unrevoke.contains(certSerial);
}
});
} else {
writer.preScan(reaper);
}
writer.setSigningAlgorithm(PKIUtility.SIGNATURE_ALGO);
// Verify we actually have work to do now
if (writer.hasChangesQueued()) {
output = new BufferedOutputStream(new FileOutputStream(file));
filter = new FilterOutputStream(output) {
private boolean needsLineBreak = true;
public void write(int b) throws IOException {
this.needsLineBreak = (b != (byte) '\n');
super.write(b);
}
public void write(byte[] buffer) throws IOException {
this.needsLineBreak = (buffer[buffer.length - 1] != (byte) '\n');
super.write(buffer);
}
public void write(byte[] buffer, int off, int len) throws IOException {
this.needsLineBreak = (buffer[off + len - 1] != (byte) '\n');
super.write(buffer, off, len);
}
public void close() throws IOException {
if (this.needsLineBreak) {
super.write((int) '\n');
this.needsLineBreak = false;
}
// Impl note:
// We're intentionally not propagating the call here.
}
};
encoder = new Base64OutputStream(filter, true, 76, new byte[] { (byte) '\n' });
output.write("-----BEGIN X509 CRL-----\n".getBytes());
writer.lock();
writer.write(encoder);
encoder.close();
filter.close();
output.write("-----END X509 CRL-----\n".getBytes());
output.close();
}
} catch (GeneralSecurityException e) {
// This should never actually happen
log.error("Unexpected security error occurred while retrieving CA key", e);
} catch (CryptoException e) {
// Something went horribly wrong with the stream writer
log.error("Unexpected error occurred while writing new CRL file", e);
} finally {
for (Closeable stream : Arrays.asList(encoder, output, reaper, input)) {
if (stream != null) {
try {
stream.close();
} catch (IOException e) {
log.error("Unexpected exception occurred while closing stream: {}", stream, e);
}
}
}
if (!strippedFile.delete()) {
log.error("Unable to delete temporary CRL file: {}", strippedFile);
}
}
}
Also used :
RSAPrivateKey(java.security.interfaces.RSAPrivateKey)
PrivateKey(java.security.PrivateKey)
FileInputStream(java.io.FileInputStream)
Base64InputStream(org.apache.commons.codec.binary.Base64InputStream)
InputStream(java.io.InputStream)
BufferedOutputStream(java.io.BufferedOutputStream)
Base64OutputStream(org.apache.commons.codec.binary.Base64OutputStream)
OutputStream(java.io.OutputStream)
FileOutputStream(java.io.FileOutputStream)
FilterOutputStream(java.io.FilterOutputStream)
GeneralSecurityException(java.security.GeneralSecurityException)
Closeable(java.io.Closeable)
CRLEntry(org.bouncycastle.asn1.x509.TBSCertList.CRLEntry)
IOException(java.io.IOException)
Base64OutputStream(org.apache.commons.codec.binary.Base64OutputStream)
FileInputStream(java.io.FileInputStream)
Date(java.util.Date)
FileOutputStream(java.io.FileOutputStream)
BigInteger(java.math.BigInteger)
Base64InputStream(org.apache.commons.codec.binary.Base64InputStream)
FilterOutputStream(java.io.FilterOutputStream)
CryptoException(org.bouncycastle.crypto.CryptoException)
File(java.io.File)
BufferedOutputStream(java.io.BufferedOutputStream)
Aggregations
X509CRLEntry (java.security.cert.X509CRLEntry)8
IOException (java.io.IOException)5
Enumeration (java.util.Enumeration)5
TBSCertList (org.bouncycastle.asn1.x509.TBSCertList)5
HashSet (java.util.HashSet)4
File (java.io.File)3
BigInteger (java.math.BigInteger)3
X509CRL (java.security.cert.X509CRL)3
X509Certificate (java.security.cert.X509Certificate)3
Date (java.util.Date)3
Set (java.util.Set)3
X500Principal (javax.security.auth.x500.X500Principal)3
ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)3
DERIA5String (org.bouncycastle.asn1.DERIA5String)3
BufferedOutputStream (java.io.BufferedOutputStream)2
FileOutputStream (java.io.FileOutputStream)2
OutputStream (java.io.OutputStream)2
MalformedURLException (java.net.MalformedURLException)2
NoSuchProviderException (java.security.NoSuchProviderException)2
Principal (java.security.Principal)2
