Example 6 with X509CRLHolder
use of org.bouncycastle.cert.X509CRLHolder in project candlepin by candlepin.
the class X509CRLStreamWriterTest method testUpgradesSignature.
@Test
public void testUpgradesSignature() throws Exception {
X509v2CRLBuilder crlBuilder = createCRLBuilder();
String signingAlg = "SHA1WithRSA";
ContentSigner sha1Signer = new JcaContentSignerBuilder(signingAlg).setProvider(BC_PROVIDER).build(keyPair.getPrivate());
X509CRLHolder holder = crlBuilder.build(sha1Signer);
File crlToChange = writeCRL(holder);
X509CRLStreamWriter stream = new X509CRLStreamWriter(crlToChange, (RSAPrivateKey) keyPair.getPrivate(), (RSAPublicKey) keyPair.getPublic());
stream.setSigningAlgorithm("SHA256WithRSA");
stream.add(new BigInteger("9000"), new Date(), 0);
stream.preScan(crlToChange).lock();
OutputStream o = new BufferedOutputStream(new FileOutputStream(outfile));
stream.write(o);
o.close();
X509CRL changedCrl = readCRL();
Set<BigInteger> discoveredSerials = new HashSet<>();
for (X509CRLEntry entry : changedCrl.getRevokedCertificates()) {
discoveredSerials.add(entry.getSerialNumber());
}
Set<BigInteger> expected = new HashSet<>();
expected.add(new BigInteger("100"));
expected.add(new BigInteger("9000"));
assertEquals(expected, discoveredSerials);
}
Also used :
X509CRL(java.security.cert.X509CRL)
JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)
BufferedOutputStream(java.io.BufferedOutputStream)
OutputStream(java.io.OutputStream)
FileOutputStream(java.io.FileOutputStream)
ContentSigner(org.bouncycastle.operator.ContentSigner)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
Date(java.util.Date)
X509CRLEntry(java.security.cert.X509CRLEntry)
FileOutputStream(java.io.FileOutputStream)
X509CRLHolder(org.bouncycastle.cert.X509CRLHolder)
BigInteger(java.math.BigInteger)
X509v2CRLBuilder(org.bouncycastle.cert.X509v2CRLBuilder)
File(java.io.File)
BufferedOutputStream(java.io.BufferedOutputStream)
HashSet(java.util.HashSet)
Test(org.junit.Test)
Example 7 with X509CRLHolder
use of org.bouncycastle.cert.X509CRLHolder in project candlepin by candlepin.
the class X509CRLEntryStreamTest method testIterateOverEmptyCrl.
@Test
public void testIterateOverEmptyCrl() throws Exception {
X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuer, new Date());
AuthorityKeyIdentifier identifier = new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(keyPair.getPublic());
crlBuilder.addExtension(Extension.authorityKeyIdentifier, false, identifier);
crlBuilder.addExtension(Extension.cRLNumber, false, new CRLNumber(new BigInteger("127")));
X509CRLHolder holder = crlBuilder.build(signer);
File noUpdateTimeCrl = new File(folder.getRoot(), "test.crl");
FileUtils.writeByteArrayToFile(noUpdateTimeCrl, holder.getEncoded());
X509CRLEntryStream stream = new X509CRLEntryStream(noUpdateTimeCrl);
try {
Set<BigInteger> streamedSerials = new HashSet<>();
while (stream.hasNext()) {
streamedSerials.add(getSerial(stream.next()));
}
assertEquals(0, streamedSerials.size());
} finally {
stream.close();
}
}
Also used :
JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)
CRLNumber(org.bouncycastle.asn1.x509.CRLNumber)
X509CRLHolder(org.bouncycastle.cert.X509CRLHolder)
BigInteger(java.math.BigInteger)
X509v2CRLBuilder(org.bouncycastle.cert.X509v2CRLBuilder)
AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)
File(java.io.File)
Date(java.util.Date)
HashSet(java.util.HashSet)
Test(org.junit.Test)
Example 8 with X509CRLHolder
use of org.bouncycastle.cert.X509CRLHolder in project candlepin by candlepin.
the class X509CRLEntryStreamTest method testIterateOverEmptyCrlWithNoExtensions.
@Test
public void testIterateOverEmptyCrlWithNoExtensions() throws Exception {
X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuer, new Date());
X509CRLHolder holder = crlBuilder.build(signer);
File noUpdateTimeCrl = new File(folder.getRoot(), "test.crl");
FileUtils.writeByteArrayToFile(noUpdateTimeCrl, holder.getEncoded());
X509CRLEntryStream stream = new X509CRLEntryStream(noUpdateTimeCrl);
thrown.expect(IllegalStateException.class);
thrown.expectMessage(matchesPattern("v1.*"));
try {
while (stream.hasNext()) {
stream.next();
}
} finally {
stream.close();
}
}
Also used :
X509CRLHolder(org.bouncycastle.cert.X509CRLHolder)
X509v2CRLBuilder(org.bouncycastle.cert.X509v2CRLBuilder)
File(java.io.File)
Date(java.util.Date)
Test(org.junit.Test)
Example 9 with X509CRLHolder
use of org.bouncycastle.cert.X509CRLHolder in project fabric-sdk-java by hyperledger.
the class HFCAClientIT method parseCRL.
TBSCertList.CRLEntry[] parseCRL(String crl) throws Exception {
Base64.Decoder b64dec = Base64.getDecoder();
final byte[] decode = b64dec.decode(crl.getBytes(UTF_8));
PEMParser pem = new PEMParser(new StringReader(new String(decode)));
X509CRLHolder holder = (X509CRLHolder) pem.readObject();
return holder.toASN1Structure().getRevokedCertificates();
}
Also used :
Base64(java.util.Base64)
PEMParser(org.bouncycastle.openssl.PEMParser)
StringReader(java.io.StringReader)
X509CRLHolder(org.bouncycastle.cert.X509CRLHolder)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
Example 10 with X509CRLHolder
use of org.bouncycastle.cert.X509CRLHolder in project jruby-openssl by jruby.
the class SecurityHelper method verify.
static boolean verify(final X509CRL crl, final PublicKey publicKey, final boolean silent) throws NoSuchAlgorithmException, CRLException, InvalidKeyException, SignatureException {
if (crl instanceof X509CRLObject) {
final CertificateList crlList = (CertificateList) getCertificateList(crl);
final AlgorithmIdentifier tbsSignatureId = crlList.getTBSCertList().getSignature();
if (!crlList.getSignatureAlgorithm().equals(tbsSignatureId)) {
if (silent)
return false;
throw new CRLException("Signature algorithm on CertificateList does not match TBSCertList.");
}
final Signature signature = getSignature(crl.getSigAlgName(), securityProvider);
signature.initVerify(publicKey);
signature.update(crl.getTBSCertList());
if (!signature.verify(crl.getSignature())) {
if (silent)
return false;
throw new SignatureException("CRL does not verify with supplied public key.");
}
return true;
} else {
try {
final DigestAlgorithmIdentifierFinder digestAlgFinder = new DefaultDigestAlgorithmIdentifierFinder();
final ContentVerifierProvider verifierProvider;
if ("DSA".equalsIgnoreCase(publicKey.getAlgorithm())) {
BigInteger y = ((DSAPublicKey) publicKey).getY();
DSAParams params = ((DSAPublicKey) publicKey).getParams();
DSAParameters parameters = new DSAParameters(params.getP(), params.getQ(), params.getG());
AsymmetricKeyParameter dsaKey = new DSAPublicKeyParameters(y, parameters);
verifierProvider = new BcDSAContentVerifierProviderBuilder(digestAlgFinder).build(dsaKey);
} else {
BigInteger mod = ((RSAPublicKey) publicKey).getModulus();
BigInteger exp = ((RSAPublicKey) publicKey).getPublicExponent();
AsymmetricKeyParameter rsaKey = new RSAKeyParameters(false, mod, exp);
verifierProvider = new BcRSAContentVerifierProviderBuilder(digestAlgFinder).build(rsaKey);
}
return new X509CRLHolder(crl.getEncoded()).isSignatureValid(verifierProvider);
} catch (OperatorException e) {
throw new SignatureException(e);
} catch (CertException e) {
throw new SignatureException(e);
}// can happen if the input is DER but does not match expected strucure
catch (ClassCastException e) {
throw new SignatureException(e);
} catch (IOException e) {
throw new SignatureException(e);
}
}
}
Also used :
DSAPublicKeyParameters(org.bouncycastle.crypto.params.DSAPublicKeyParameters)
X509CRLObject(org.bouncycastle.jce.provider.X509CRLObject)
BcRSAContentVerifierProviderBuilder(org.bouncycastle.operator.bc.BcRSAContentVerifierProviderBuilder)
CertificateList(org.bouncycastle.asn1.x509.CertificateList)
CertException(org.bouncycastle.cert.CertException)
SignatureException(java.security.SignatureException)
DSAParams(java.security.interfaces.DSAParams)
IOException(java.io.IOException)
DigestAlgorithmIdentifierFinder(org.bouncycastle.operator.DigestAlgorithmIdentifierFinder)
DefaultDigestAlgorithmIdentifierFinder(org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder)
DefaultDigestAlgorithmIdentifierFinder(org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder)
RSAKeyParameters(org.bouncycastle.crypto.params.RSAKeyParameters)
AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier)
DSAPublicKey(java.security.interfaces.DSAPublicKey)
AsymmetricKeyParameter(org.bouncycastle.crypto.params.AsymmetricKeyParameter)
RSAPublicKey(java.security.interfaces.RSAPublicKey)
Signature(java.security.Signature)
X509CRLHolder(org.bouncycastle.cert.X509CRLHolder)
BigInteger(java.math.BigInteger)
BcDSAContentVerifierProviderBuilder(org.bouncycastle.operator.bc.BcDSAContentVerifierProviderBuilder)
CRLException(java.security.cert.CRLException)
DSAParameters(org.bouncycastle.crypto.params.DSAParameters)
OperatorException(org.bouncycastle.operator.OperatorException)
ContentVerifierProvider(org.bouncycastle.operator.ContentVerifierProvider)
Aggregations
X509CRLHolder (org.bouncycastle.cert.X509CRLHolder)32
X509v2CRLBuilder (org.bouncycastle.cert.X509v2CRLBuilder)22
Date (java.util.Date)20
File (java.io.File)15
BigInteger (java.math.BigInteger)15
FileOutputStream (java.io.FileOutputStream)14
Test (org.junit.Test)13
BufferedOutputStream (java.io.BufferedOutputStream)10
OutputStream (java.io.OutputStream)10
X509CRL (java.security.cert.X509CRL)9
HashSet (java.util.HashSet)9
JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)9
CRLNumber (org.bouncycastle.asn1.x509.CRLNumber)8
IOException (java.io.IOException)7
ContentSigner (org.bouncycastle.operator.ContentSigner)7
X509CRLEntry (java.security.cert.X509CRLEntry)6
JcaX509CRLConverter (org.bouncycastle.cert.jcajce.JcaX509CRLConverter)6
JcaX509ExtensionUtils (org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)6
ASN1Integer (org.bouncycastle.asn1.ASN1Integer)5
X500Name (org.bouncycastle.asn1.x500.X500Name)5
