Example 16 with JcaX509ExtensionUtils
use of org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils in project certmgr by hdecarne.
the class X509CRLHelper method generateCRL.
/**
* Generate a CRL object.
*
* @param currentCRL The current CRL object in case of an update (may be {@code null}).
* @param lastUpdate The last update timestamp to set.
* @param nextUpdate The next update timestamp to set (may be {@code null}).
* @param revokeEntries The revoked entries.
* @param issuerDN The CRL issuer's DN.
* @param issuerKey The CRL issuer's key pair.
* @param signatureAlgorithm The signature algorithm to use for signing.
* @return The generated CRL object.
* @throws IOException if an error occurs during generation.
*/
public static X509CRL generateCRL(@Nullable X509CRL currentCRL, Date lastUpdate, @Nullable Date nextUpdate, Map<BigInteger, ReasonFlag> revokeEntries, X500Principal issuerDN, KeyPair issuerKey, SignatureAlgorithm signatureAlgorithm) throws IOException {
LOG.info("CRL generation ''{0}'' started...", issuerDN);
// Initialize CRL builder
JcaX509v2CRLBuilder crlBuilder = new JcaX509v2CRLBuilder(issuerDN, lastUpdate);
if (nextUpdate != null) {
crlBuilder.setNextUpdate(nextUpdate);
}
for (Map.Entry<BigInteger, ReasonFlag> revokeEntry : revokeEntries.entrySet()) {
crlBuilder.addCRLEntry(revokeEntry.getKey(), lastUpdate, revokeEntry.getValue().value());
}
X509CRL crl;
try {
// Add extensions
JcaX509ExtensionUtils extensionUtils = new JcaX509ExtensionUtils();
crlBuilder.addExtension(Extension.authorityKeyIdentifier, false, extensionUtils.createAuthorityKeyIdentifier(issuerKey.getPublic()));
BigInteger nextCRLNumber = getNextCRLNumber(currentCRL);
crlBuilder.addExtension(Extension.cRLNumber, false, new CRLNumber(nextCRLNumber));
// Sign and create CRL object
ContentSigner crlSigner = new JcaContentSignerBuilder(signatureAlgorithm.algorithm()).build(issuerKey.getPrivate());
crl = new JcaX509CRLConverter().getCRL(crlBuilder.build(crlSigner));
} catch (GeneralSecurityException | OperatorCreationException e) {
throw new CertProviderException(e);
}
LOG.info("CRT generation ''{0}'' done", issuerDN);
return crl;
}
Also used :
JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)
X509CRL(java.security.cert.X509CRL)
CRLNumber(org.bouncycastle.asn1.x509.CRLNumber)
JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)
GeneralSecurityException(java.security.GeneralSecurityException)
ContentSigner(org.bouncycastle.operator.ContentSigner)
JcaX509v2CRLBuilder(org.bouncycastle.cert.jcajce.JcaX509v2CRLBuilder)
CertProviderException(de.carne.certmgr.certs.CertProviderException)
JcaX509CRLConverter(org.bouncycastle.cert.jcajce.JcaX509CRLConverter)
BigInteger(java.math.BigInteger)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
Map(java.util.Map)
Example 17 with JcaX509ExtensionUtils
use of org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils in project photon-model by vmware.
the class CertificateUtil method getServerExtensions.
private static List<ExtensionHolder> getServerExtensions(X509Certificate issuerCertificate) throws CertificateEncodingException, NoSuchAlgorithmException, IOException {
List<ExtensionHolder> extensions = new ArrayList<>();
// SSO forces us to allow data encipherment
extensions.add(new ExtensionHolder(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment)));
extensions.add(new ExtensionHolder(Extension.extendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_serverAuth)));
Extension authorityKeyExtension = new Extension(Extension.authorityKeyIdentifier, false, new DEROctetString(new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(issuerCertificate)));
extensions.add(new ExtensionHolder(authorityKeyExtension.getExtnId(), authorityKeyExtension.isCritical(), authorityKeyExtension.getParsedValue()));
return extensions;
}
Also used :
Extension(org.bouncycastle.asn1.x509.Extension)
JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)
ArrayList(java.util.ArrayList)
KeyUsage(org.bouncycastle.asn1.x509.KeyUsage)
ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage)
ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
Example 18 with JcaX509ExtensionUtils
use of org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils in project candlepin by candlepin.
the class X509CRLStreamWriterTest method testAddEntryToBigCRL.
@Test
public void testAddEntryToBigCRL() throws Exception {
X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuer, new Date());
AuthorityKeyIdentifier identifier = new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(keyPair.getPublic());
crlBuilder.addExtension(Extension.authorityKeyIdentifier, false, identifier);
/* With a CRL number of 127, incrementing it should cause the number of bytes in the length
* portion of the TLV to increase by one.*/
crlBuilder.addExtension(Extension.cRLNumber, false, new CRLNumber(new BigInteger("127")));
BigInteger serial = new BigInteger("741696FE9E30AD27", 16);
Set<BigInteger> expected = new HashSet<>();
for (int i = 0; i < 10000; i++) {
serial = serial.add(BigInteger.TEN);
crlBuilder.addCRLEntry(serial, new Date(), CRLReason.privilegeWithdrawn);
expected.add(serial);
}
X509CRLHolder holder = crlBuilder.build(signer);
File crlToChange = writeCRL(holder);
File outfile = new File(folder.getRoot(), "new.crl");
X509CRLStreamWriter stream = new X509CRLStreamWriter(crlToChange, (RSAPrivateKey) keyPair.getPrivate(), (RSAPublicKey) keyPair.getPublic());
// Add enough items to cause the number of length bytes to change
Set<BigInteger> newSerials = new HashSet<>(Arrays.asList(new BigInteger("2358215310"), new BigInteger("7231352433"), new BigInteger("8233181205"), new BigInteger("1455615868"), new BigInteger("4323487764"), new BigInteger("6673256679")));
for (BigInteger i : newSerials) {
stream.add(i, new Date(), CRLReason.privilegeWithdrawn);
expected.add(i);
}
stream.preScan(crlToChange).lock();
OutputStream o = new BufferedOutputStream(new FileOutputStream(outfile));
stream.write(o);
o.close();
X509CRL changedCrl = readCRL();
Set<BigInteger> discoveredSerials = new HashSet<>();
for (X509CRLEntry entry : changedCrl.getRevokedCertificates()) {
discoveredSerials.add(entry.getSerialNumber());
}
assertEquals(expected, discoveredSerials);
}
Also used :
JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)
X509CRL(java.security.cert.X509CRL)
CRLNumber(org.bouncycastle.asn1.x509.CRLNumber)
BufferedOutputStream(java.io.BufferedOutputStream)
OutputStream(java.io.OutputStream)
FileOutputStream(java.io.FileOutputStream)
AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)
Date(java.util.Date)
X509CRLEntry(java.security.cert.X509CRLEntry)
FileOutputStream(java.io.FileOutputStream)
X509CRLHolder(org.bouncycastle.cert.X509CRLHolder)
BigInteger(java.math.BigInteger)
X509v2CRLBuilder(org.bouncycastle.cert.X509v2CRLBuilder)
File(java.io.File)
BufferedOutputStream(java.io.BufferedOutputStream)
HashSet(java.util.HashSet)
Test(org.junit.Test)
Example 19 with JcaX509ExtensionUtils
use of org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils in project candlepin by candlepin.
the class X509CRLStreamWriterTest method testAddEntryToEmptyCRL.
@Test
public void testAddEntryToEmptyCRL() throws Exception {
Date oneHourAgo = new Date(new Date().getTime() - 60L * 60L * 1000L);
Date oneHourHence = new Date(new Date().getTime() + 60L * 60L * 1000L);
X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuer, oneHourAgo);
AuthorityKeyIdentifier identifier = new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(keyPair.getPublic());
crlBuilder.addExtension(Extension.authorityKeyIdentifier, false, identifier);
/* With a CRL number of 127, incrementing it should cause the number of bytes in the length
* portion of the TLV to increase by one.*/
crlBuilder.addExtension(Extension.cRLNumber, false, new CRLNumber(new BigInteger("127")));
crlBuilder.setNextUpdate(oneHourHence);
X509CRLHolder holder = crlBuilder.build(signer);
File crlToChange = writeCRL(holder);
File outfile = new File(folder.getRoot(), "new.crl");
X509CRLStreamWriter stream = new X509CRLStreamWriter(crlToChange, (RSAPrivateKey) keyPair.getPrivate(), (RSAPublicKey) keyPair.getPublic());
// Add enough items to cause the number of length bytes to change
Set<BigInteger> newSerials = new HashSet<>(Arrays.asList(new BigInteger("2358215310"), new BigInteger("7231352433"), new BigInteger("8233181205"), new BigInteger("1455615868"), new BigInteger("4323487764"), new BigInteger("6673256679")));
for (BigInteger i : newSerials) {
stream.add(i, new Date(), CRLReason.privilegeWithdrawn);
}
stream.preScan(crlToChange).lock();
OutputStream o = new BufferedOutputStream(new FileOutputStream(outfile));
stream.write(o);
o.close();
X509CRL changedCrl = readCRL();
Set<BigInteger> discoveredSerials = new HashSet<>();
for (X509CRLEntry entry : changedCrl.getRevokedCertificates()) {
discoveredSerials.add(entry.getSerialNumber());
}
X509CRL originalCrl = new JcaX509CRLConverter().setProvider(BC_PROVIDER).getCRL(holder);
assertNotNull(changedCrl.getNextUpdate());
long changedCrlUpdateDelta = changedCrl.getNextUpdate().getTime() - changedCrl.getThisUpdate().getTime();
assertEquals(changedCrlUpdateDelta, oneHourHence.getTime() - oneHourAgo.getTime());
assertThat(changedCrl.getThisUpdate(), OrderingComparison.greaterThan(originalCrl.getThisUpdate()));
assertEquals(newSerials, discoveredSerials);
assertEquals(originalCrl.getIssuerX500Principal(), changedCrl.getIssuerX500Principal());
ASN1ObjectIdentifier crlNumberOID = Extension.cRLNumber;
byte[] oldCrlNumberBytes = originalCrl.getExtensionValue(crlNumberOID.getId());
byte[] newCrlNumberBytes = changedCrl.getExtensionValue(crlNumberOID.getId());
DEROctetString oldOctet = (DEROctetString) DERTaggedObject.fromByteArray(oldCrlNumberBytes);
DEROctetString newOctet = (DEROctetString) DERTaggedObject.fromByteArray(newCrlNumberBytes);
ASN1Integer oldNumber = (ASN1Integer) DERTaggedObject.fromByteArray(oldOctet.getOctets());
ASN1Integer newNumber = (ASN1Integer) DERTaggedObject.fromByteArray(newOctet.getOctets());
assertEquals(oldNumber.getValue().add(BigInteger.ONE), newNumber.getValue());
ASN1ObjectIdentifier authorityKeyOID = Extension.authorityKeyIdentifier;
byte[] oldAuthorityKeyId = originalCrl.getExtensionValue(authorityKeyOID.getId());
byte[] newAuthorityKeyId = changedCrl.getExtensionValue(authorityKeyOID.getId());
assertArrayEquals(oldAuthorityKeyId, newAuthorityKeyId);
}
Also used :
JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)
X509CRL(java.security.cert.X509CRL)
CRLNumber(org.bouncycastle.asn1.x509.CRLNumber)
BufferedOutputStream(java.io.BufferedOutputStream)
OutputStream(java.io.OutputStream)
FileOutputStream(java.io.FileOutputStream)
AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)
ASN1Integer(org.bouncycastle.asn1.ASN1Integer)
Date(java.util.Date)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
X509CRLEntry(java.security.cert.X509CRLEntry)
JcaX509CRLConverter(org.bouncycastle.cert.jcajce.JcaX509CRLConverter)
FileOutputStream(java.io.FileOutputStream)
X509CRLHolder(org.bouncycastle.cert.X509CRLHolder)
BigInteger(java.math.BigInteger)
X509v2CRLBuilder(org.bouncycastle.cert.X509v2CRLBuilder)
File(java.io.File)
BufferedOutputStream(java.io.BufferedOutputStream)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
HashSet(java.util.HashSet)
Test(org.junit.Test)
Example 20 with JcaX509ExtensionUtils
use of org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils in project candlepin by candlepin.
the class X509CRLStreamWriterTest method createCRLBuilder.
private X509v2CRLBuilder createCRLBuilder() throws Exception {
X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuer, new Date());
AuthorityKeyIdentifier identifier = new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(keyPair.getPublic());
crlBuilder.addExtension(Extension.authorityKeyIdentifier, false, identifier);
/* With a CRL number of 127, incrementing it should cause the number of bytes in the length
* portion of the TLV to increase by one.*/
crlBuilder.addExtension(Extension.cRLNumber, false, new CRLNumber(new BigInteger("127")));
crlBuilder.addCRLEntry(new BigInteger("100"), new Date(), CRLReason.unspecified);
return crlBuilder;
}
Also used :
JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)
CRLNumber(org.bouncycastle.asn1.x509.CRLNumber)
BigInteger(java.math.BigInteger)
X509v2CRLBuilder(org.bouncycastle.cert.X509v2CRLBuilder)
AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)
Date(java.util.Date)
Aggregations
JcaX509ExtensionUtils (org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)32
JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)19
JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)17
Date (java.util.Date)16
ContentSigner (org.bouncycastle.operator.ContentSigner)16
X500Name (org.bouncycastle.asn1.x500.X500Name)15
BigInteger (java.math.BigInteger)13
X509v3CertificateBuilder (org.bouncycastle.cert.X509v3CertificateBuilder)12
JcaX509v3CertificateBuilder (org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)12
X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)11
KeyUsage (org.bouncycastle.asn1.x509.KeyUsage)10
OperatorCreationException (org.bouncycastle.operator.OperatorCreationException)10
BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)9
CRLNumber (org.bouncycastle.asn1.x509.CRLNumber)9
AuthorityKeyIdentifier (org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)8
X509v2CRLBuilder (org.bouncycastle.cert.X509v2CRLBuilder)8
File (java.io.File)6
X509Certificate (java.security.cert.X509Certificate)6
HashSet (java.util.HashSet)6
ExtendedKeyUsage (org.bouncycastle.asn1.x509.ExtendedKeyUsage)6
