Example 16 with X509CRLHolder
use of org.bouncycastle.cert.X509CRLHolder in project xipki by xipki.
the class X509Ca method generateCrl0.
private X509CRL generateCrl0(boolean deltaCrl, Date thisUpdate, Date nextUpdate, AuditEvent event, String msgId) throws OperationException {
X509CrlSignerEntryWrapper crlSigner = getCrlSigner();
if (crlSigner == null) {
throw new OperationException(ErrorCode.NOT_PERMITTED, "CRL generation is not allowed");
}
LOG.info(" START generateCrl: ca={}, deltaCRL={}, nextUpdate={}", caIdent, deltaCrl, nextUpdate);
event.addEventData(CaAuditConstants.NAME_crlType, deltaCrl ? "DELTA_CRL" : "FULL_CRL");
if (nextUpdate == null) {
event.addEventData(CaAuditConstants.NAME_nextUpdate, "null");
} else {
event.addEventData(CaAuditConstants.NAME_nextUpdate, DateUtil.toUtcTimeyyyyMMddhhmmss(nextUpdate));
if (nextUpdate.getTime() - thisUpdate.getTime() < 10 * 60 * MS_PER_SECOND) {
// less than 10 minutes
throw new OperationException(ErrorCode.CRL_FAILURE, "nextUpdate and thisUpdate are too close");
}
}
CrlControl crlControl = crlSigner.getCrlControl();
boolean successful = false;
try {
ConcurrentContentSigner tmpCrlSigner = crlSigner.getSigner();
CrlControl control = crlSigner.getCrlControl();
boolean directCrl;
X500Name crlIssuer;
if (tmpCrlSigner == null) {
directCrl = true;
crlIssuer = caInfo.getPublicCaInfo().getX500Subject();
} else {
directCrl = false;
crlIssuer = X500Name.getInstance(tmpCrlSigner.getCertificate().getSubjectX500Principal().getEncoded());
}
X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(crlIssuer, thisUpdate);
if (nextUpdate != null) {
crlBuilder.setNextUpdate(nextUpdate);
}
final int numEntries = 100;
Date notExpireAt;
if (control.isIncludeExpiredCerts()) {
notExpireAt = new Date(0);
} else {
// 10 minutes buffer
notExpireAt = new Date(thisUpdate.getTime() - 600L * MS_PER_SECOND);
}
long startId = 1;
// we have to cache the serial entries to sort them
List<CertRevInfoWithSerial> allRevInfos = new LinkedList<>();
List<CertRevInfoWithSerial> revInfos;
do {
if (deltaCrl) {
revInfos = certstore.getCertsForDeltaCrl(caIdent, startId, numEntries, control.isOnlyContainsCaCerts(), control.isOnlyContainsUserCerts());
} else {
revInfos = certstore.getRevokedCerts(caIdent, notExpireAt, startId, numEntries, control.isOnlyContainsCaCerts(), control.isOnlyContainsUserCerts());
}
allRevInfos.addAll(revInfos);
long maxId = 1;
for (CertRevInfoWithSerial revInfo : revInfos) {
if (revInfo.getId() > maxId) {
maxId = revInfo.getId();
}
}
// end for
startId = maxId + 1;
} while (// end do
revInfos.size() >= numEntries);
if (revInfos != null) {
// free the memory
revInfos.clear();
}
// sort the list by SerialNumber ASC
Collections.sort(allRevInfos);
boolean isFirstCrlEntry = true;
for (CertRevInfoWithSerial revInfo : allRevInfos) {
CrlReason reason = revInfo.getReason();
if (crlControl.isExcludeReason() && reason != CrlReason.REMOVE_FROM_CRL) {
reason = CrlReason.UNSPECIFIED;
}
Date revocationTime = revInfo.getRevocationTime();
Date invalidityTime = revInfo.getInvalidityTime();
switch(crlControl.getInvalidityDateMode()) {
case FORBIDDEN:
invalidityTime = null;
break;
case OPTIONAL:
break;
case REQUIRED:
if (invalidityTime == null) {
invalidityTime = revocationTime;
}
break;
default:
throw new RuntimeException("unknown TripleState: " + crlControl.getInvalidityDateMode());
}
BigInteger serial = revInfo.getSerial();
LOG.debug("added cert ca={} serial={} to CRL", caIdent, serial);
if (directCrl || !isFirstCrlEntry) {
if (invalidityTime != null) {
crlBuilder.addCRLEntry(serial, revocationTime, reason.getCode(), invalidityTime);
} else {
crlBuilder.addCRLEntry(serial, revocationTime, reason.getCode());
}
continue;
}
List<Extension> extensions = new ArrayList<>(3);
if (reason != CrlReason.UNSPECIFIED) {
Extension ext = createReasonExtension(reason.getCode());
extensions.add(ext);
}
if (invalidityTime != null) {
Extension ext = createInvalidityDateExtension(invalidityTime);
extensions.add(ext);
}
Extension ext = createCertificateIssuerExtension(caInfo.getPublicCaInfo().getX500Subject());
extensions.add(ext);
crlBuilder.addCRLEntry(serial, revocationTime, new Extensions(extensions.toArray(new Extension[0])));
isFirstCrlEntry = false;
}
// free the memory
allRevInfos.clear();
BigInteger crlNumber = caInfo.nextCrlNumber();
event.addEventData(CaAuditConstants.NAME_crlNumber, crlNumber);
boolean onlyUserCerts = crlControl.isOnlyContainsUserCerts();
boolean onlyCaCerts = crlControl.isOnlyContainsCaCerts();
if (onlyUserCerts && onlyCaCerts) {
throw new RuntimeException("should not reach here, onlyUserCerts and onlyCACerts are both true");
}
try {
// AuthorityKeyIdentifier
byte[] akiValues = directCrl ? caInfo.getPublicCaInfo().getSubjectKeyIdentifer() : crlSigner.getSubjectKeyIdentifier();
AuthorityKeyIdentifier aki = new AuthorityKeyIdentifier(akiValues);
crlBuilder.addExtension(Extension.authorityKeyIdentifier, false, aki);
// add extension CRL Number
crlBuilder.addExtension(Extension.cRLNumber, false, new ASN1Integer(crlNumber));
// IssuingDistributionPoint
if (onlyUserCerts || onlyCaCerts || !directCrl) {
IssuingDistributionPoint idp = new IssuingDistributionPoint(// distributionPoint,
(DistributionPointName) null, // onlyContainsUserCerts,
onlyUserCerts, // onlyContainsCACerts,
onlyCaCerts, // onlySomeReasons,
(ReasonFlags) null, // indirectCRL,
!directCrl, // onlyContainsAttributeCerts
false);
crlBuilder.addExtension(Extension.issuingDistributionPoint, true, idp);
}
// freshestCRL
List<String> deltaCrlUris = getCaInfo().getPublicCaInfo().getDeltaCrlUris();
if (control.getDeltaCrlIntervals() > 0 && CollectionUtil.isNonEmpty(deltaCrlUris)) {
CRLDistPoint cdp = CaUtil.createCrlDistributionPoints(deltaCrlUris, caInfo.getPublicCaInfo().getX500Subject(), crlIssuer);
crlBuilder.addExtension(Extension.freshestCRL, false, cdp);
}
} catch (CertIOException ex) {
LogUtil.error(LOG, ex, "crlBuilder.addExtension");
throw new OperationException(ErrorCode.INVALID_EXTENSION, ex);
}
addXipkiCertset(crlBuilder, deltaCrl, control, notExpireAt, onlyCaCerts, onlyUserCerts);
ConcurrentContentSigner concurrentSigner = (tmpCrlSigner == null) ? caInfo.getSigner(null) : tmpCrlSigner;
ConcurrentBagEntrySigner signer0;
try {
signer0 = concurrentSigner.borrowSigner();
} catch (NoIdleSignerException ex) {
throw new OperationException(ErrorCode.SYSTEM_FAILURE, "NoIdleSignerException: " + ex.getMessage());
}
X509CRLHolder crlHolder;
try {
crlHolder = crlBuilder.build(signer0.value());
} finally {
concurrentSigner.requiteSigner(signer0);
}
try {
X509CRL crl = X509Util.toX509Crl(crlHolder.toASN1Structure());
caInfo.getCaEntry().setNextCrlNumber(crlNumber.longValue() + 1);
caManager.commitNextCrlNo(caIdent, caInfo.getCaEntry().getNextCrlNumber());
publishCrl(crl);
successful = true;
LOG.info("SUCCESSFUL generateCrl: ca={}, crlNumber={}, thisUpdate={}", caIdent, crlNumber, crl.getThisUpdate());
if (!deltaCrl) {
// clean up the CRL
cleanupCrlsWithoutException(msgId);
}
return crl;
} catch (CRLException | CertificateException ex) {
throw new OperationException(ErrorCode.CRL_FAILURE, ex);
}
} finally {
if (!successful) {
LOG.info(" FAILED generateCrl: ca={}", caIdent);
}
}
}
Also used :
CrlControl(org.xipki.ca.server.mgmt.api.x509.CrlControl)
IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint)
X509CRL(java.security.cert.X509CRL)
ArrayList(java.util.ArrayList)
AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)
CertificateException(java.security.cert.CertificateException)
X500Name(org.bouncycastle.asn1.x500.X500Name)
DERPrintableString(org.bouncycastle.asn1.DERPrintableString)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
Extensions(org.bouncycastle.asn1.x509.Extensions)
NoIdleSignerException(org.xipki.security.exception.NoIdleSignerException)
X509v2CRLBuilder(org.bouncycastle.cert.X509v2CRLBuilder)
CrlReason(org.xipki.security.CrlReason)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
CRLException(java.security.cert.CRLException)
OperationException(org.xipki.ca.api.OperationException)
ASN1Integer(org.bouncycastle.asn1.ASN1Integer)
CertIOException(org.bouncycastle.cert.CertIOException)
ConcurrentBagEntrySigner(org.xipki.security.ConcurrentBagEntrySigner)
IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
Date(java.util.Date)
LinkedList(java.util.LinkedList)
Extension(org.bouncycastle.asn1.x509.Extension)
ConcurrentContentSigner(org.xipki.security.ConcurrentContentSigner)
X509CRLHolder(org.bouncycastle.cert.X509CRLHolder)
BigInteger(java.math.BigInteger)
Example 17 with X509CRLHolder
use of org.bouncycastle.cert.X509CRLHolder in project xipki by xipki.
the class ScepResponder method createSignedData.
// method servicePkiOperation0
private ContentInfo createSignedData(CertificateList crl) throws CaException {
CMSSignedDataGenerator cmsSignedDataGen = new CMSSignedDataGenerator();
cmsSignedDataGen.addCRL(new X509CRLHolder(crl));
CMSSignedData cmsSigneddata;
try {
cmsSigneddata = cmsSignedDataGen.generate(new CMSAbsentContent());
} catch (CMSException ex) {
throw new CaException(ex.getMessage(), ex);
}
return cmsSigneddata.toASN1Structure();
}
Also used :
CMSSignedDataGenerator(org.bouncycastle.cms.CMSSignedDataGenerator)
CMSAbsentContent(org.bouncycastle.cms.CMSAbsentContent)
X509CRLHolder(org.bouncycastle.cert.X509CRLHolder)
CMSSignedData(org.bouncycastle.cms.CMSSignedData)
CMSException(org.bouncycastle.cms.CMSException)
Example 18 with X509CRLHolder
use of org.bouncycastle.cert.X509CRLHolder in project candlepin by candlepin.
the class X509CRLStreamWriter method writeToEmptyCrl.
protected void writeToEmptyCrl(OutputStream out) throws IOException {
ASN1InputStream asn1in = null;
try {
asn1in = new ASN1InputStream(crlIn);
ASN1Sequence certListSeq = (ASN1Sequence) asn1in.readObject();
CertificateList certList = CertificateList.getInstance(certListSeq);
X509CRLHolder oldCrl = new X509CRLHolder(certList);
X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(oldCrl.getIssuer(), new Date());
crlBuilder.addCRL(oldCrl);
Date now = new Date();
Date oldNextUpdate = certList.getNextUpdate().getDate();
Date oldThisUpdate = certList.getThisUpdate().getDate();
Date nextUpdate = new Date(now.getTime() + (oldNextUpdate.getTime() - oldThisUpdate.getTime()));
crlBuilder.setNextUpdate(nextUpdate);
for (Object o : oldCrl.getExtensionOIDs()) {
ASN1ObjectIdentifier oid = (ASN1ObjectIdentifier) o;
Extension ext = oldCrl.getExtension(oid);
if (oid.equals(Extension.cRLNumber)) {
ASN1OctetString octet = ext.getExtnValue();
ASN1Integer currentNumber = (ASN1Integer) new ASN1InputStream(octet.getOctets()).readObject();
ASN1Integer nextNumber = new ASN1Integer(currentNumber.getValue().add(BigInteger.ONE));
crlBuilder.addExtension(oid, ext.isCritical(), nextNumber);
} else if (oid.equals(Extension.authorityKeyIdentifier)) {
crlBuilder.addExtension(oid, ext.isCritical(), ext.getParsedValue());
}
}
for (DERSequence entry : newEntries) {
// XXX: This is all a bit messy considering the user already passed in the serial, date
// and reason.
BigInteger serial = ((ASN1Integer) entry.getObjectAt(0)).getValue();
Date revokeDate = ((Time) entry.getObjectAt(1)).getDate();
int reason = CRLReason.unspecified;
if (entry.size() == 3) {
Extensions extensions = (Extensions) entry.getObjectAt(2);
Extension reasonExt = extensions.getExtension(Extension.reasonCode);
if (reasonExt != null) {
reason = ((ASN1Enumerated) reasonExt.getParsedValue()).getValue().intValue();
}
}
crlBuilder.addCRLEntry(serial, revokeDate, reason);
}
if (signingAlg == null) {
signingAlg = oldCrl.toASN1Structure().getSignatureAlgorithm();
}
ContentSigner s;
try {
s = createContentSigner(signingAlg, key);
X509CRLHolder newCrl = crlBuilder.build(s);
out.write(newCrl.getEncoded());
} catch (OperatorCreationException e) {
throw new IOException("Could not sign CRL", e);
}
} finally {
IOUtils.closeQuietly(asn1in);
}
}
Also used :
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
ASN1InputStream(org.bouncycastle.asn1.ASN1InputStream)
CertificateList(org.bouncycastle.asn1.x509.CertificateList)
ContentSigner(org.bouncycastle.operator.ContentSigner)
DERGeneralizedTime(org.bouncycastle.asn1.DERGeneralizedTime)
ASN1GeneralizedTime(org.bouncycastle.asn1.ASN1GeneralizedTime)
DERUTCTime(org.bouncycastle.asn1.DERUTCTime)
Time(org.bouncycastle.asn1.x509.Time)
ASN1UTCTime(org.bouncycastle.asn1.ASN1UTCTime)
ASN1Integer(org.bouncycastle.asn1.ASN1Integer)
IOException(java.io.IOException)
Extensions(org.bouncycastle.asn1.x509.Extensions)
Date(java.util.Date)
Extension(org.bouncycastle.asn1.x509.Extension)
ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence)
DERSequence(org.bouncycastle.asn1.DERSequence)
ASN1Enumerated(org.bouncycastle.asn1.ASN1Enumerated)
X509CRLHolder(org.bouncycastle.cert.X509CRLHolder)
BigInteger(java.math.BigInteger)
X509v2CRLBuilder(org.bouncycastle.cert.X509v2CRLBuilder)
ASN1Object(org.bouncycastle.asn1.ASN1Object)
ASN1TaggedObject(org.bouncycastle.asn1.ASN1TaggedObject)
DERTaggedObject(org.bouncycastle.asn1.DERTaggedObject)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Example 19 with X509CRLHolder
use of org.bouncycastle.cert.X509CRLHolder in project candlepin by candlepin.
the class X509CRLStreamWriterTest method testModifyUpdatedTime.
@Test
public void testModifyUpdatedTime() throws Exception {
X509CRLHolder holder = createCRL();
File crlToChange = writeCRL(holder);
Thread.sleep(1000);
X509CRLStreamWriter stream = new X509CRLStreamWriter(crlToChange, (RSAPrivateKey) keyPair.getPrivate(), (RSAPublicKey) keyPair.getPublic());
stream.preScan(crlToChange).lock();
OutputStream o = new BufferedOutputStream(new FileOutputStream(outfile));
stream.write(o);
o.close();
X509CRL changedCrl = readCRL();
X509CRL originalCrl = new JcaX509CRLConverter().setProvider(BC_PROVIDER).getCRL(holder);
assertTrue("Error: CRL thisUpdate field unmodified", originalCrl.getThisUpdate().before(changedCrl.getThisUpdate()));
}
Also used :
X509CRL(java.security.cert.X509CRL)
JcaX509CRLConverter(org.bouncycastle.cert.jcajce.JcaX509CRLConverter)
BufferedOutputStream(java.io.BufferedOutputStream)
OutputStream(java.io.OutputStream)
FileOutputStream(java.io.FileOutputStream)
FileOutputStream(java.io.FileOutputStream)
X509CRLHolder(org.bouncycastle.cert.X509CRLHolder)
File(java.io.File)
BufferedOutputStream(java.io.BufferedOutputStream)
Test(org.junit.Test)
Example 20 with X509CRLHolder
use of org.bouncycastle.cert.X509CRLHolder in project candlepin by candlepin.
the class X509CRLStreamWriterTest method testAddEntryToBigCRL.
@Test
public void testAddEntryToBigCRL() throws Exception {
X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuer, new Date());
AuthorityKeyIdentifier identifier = new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(keyPair.getPublic());
crlBuilder.addExtension(Extension.authorityKeyIdentifier, false, identifier);
/* With a CRL number of 127, incrementing it should cause the number of bytes in the length
* portion of the TLV to increase by one.*/
crlBuilder.addExtension(Extension.cRLNumber, false, new CRLNumber(new BigInteger("127")));
BigInteger serial = new BigInteger("741696FE9E30AD27", 16);
Set<BigInteger> expected = new HashSet<>();
for (int i = 0; i < 10000; i++) {
serial = serial.add(BigInteger.TEN);
crlBuilder.addCRLEntry(serial, new Date(), CRLReason.privilegeWithdrawn);
expected.add(serial);
}
X509CRLHolder holder = crlBuilder.build(signer);
File crlToChange = writeCRL(holder);
File outfile = new File(folder.getRoot(), "new.crl");
X509CRLStreamWriter stream = new X509CRLStreamWriter(crlToChange, (RSAPrivateKey) keyPair.getPrivate(), (RSAPublicKey) keyPair.getPublic());
// Add enough items to cause the number of length bytes to change
Set<BigInteger> newSerials = new HashSet<>(Arrays.asList(new BigInteger("2358215310"), new BigInteger("7231352433"), new BigInteger("8233181205"), new BigInteger("1455615868"), new BigInteger("4323487764"), new BigInteger("6673256679")));
for (BigInteger i : newSerials) {
stream.add(i, new Date(), CRLReason.privilegeWithdrawn);
expected.add(i);
}
stream.preScan(crlToChange).lock();
OutputStream o = new BufferedOutputStream(new FileOutputStream(outfile));
stream.write(o);
o.close();
X509CRL changedCrl = readCRL();
Set<BigInteger> discoveredSerials = new HashSet<>();
for (X509CRLEntry entry : changedCrl.getRevokedCertificates()) {
discoveredSerials.add(entry.getSerialNumber());
}
assertEquals(expected, discoveredSerials);
}
Also used :
JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)
X509CRL(java.security.cert.X509CRL)
CRLNumber(org.bouncycastle.asn1.x509.CRLNumber)
BufferedOutputStream(java.io.BufferedOutputStream)
OutputStream(java.io.OutputStream)
FileOutputStream(java.io.FileOutputStream)
AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)
Date(java.util.Date)
X509CRLEntry(java.security.cert.X509CRLEntry)
FileOutputStream(java.io.FileOutputStream)
X509CRLHolder(org.bouncycastle.cert.X509CRLHolder)
BigInteger(java.math.BigInteger)
X509v2CRLBuilder(org.bouncycastle.cert.X509v2CRLBuilder)
File(java.io.File)
BufferedOutputStream(java.io.BufferedOutputStream)
HashSet(java.util.HashSet)
Test(org.junit.Test)
Aggregations
X509CRLHolder (org.bouncycastle.cert.X509CRLHolder)32
X509v2CRLBuilder (org.bouncycastle.cert.X509v2CRLBuilder)22
Date (java.util.Date)20
File (java.io.File)15
BigInteger (java.math.BigInteger)15
FileOutputStream (java.io.FileOutputStream)14
Test (org.junit.Test)13
BufferedOutputStream (java.io.BufferedOutputStream)10
OutputStream (java.io.OutputStream)10
X509CRL (java.security.cert.X509CRL)9
HashSet (java.util.HashSet)9
JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)9
CRLNumber (org.bouncycastle.asn1.x509.CRLNumber)8
IOException (java.io.IOException)7
ContentSigner (org.bouncycastle.operator.ContentSigner)7
X509CRLEntry (java.security.cert.X509CRLEntry)6
JcaX509CRLConverter (org.bouncycastle.cert.jcajce.JcaX509CRLConverter)6
JcaX509ExtensionUtils (org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)6
ASN1Integer (org.bouncycastle.asn1.ASN1Integer)5
X500Name (org.bouncycastle.asn1.x500.X500Name)5
