Search in sources :

Example 1 with JcaX509v2CRLBuilder

use of org.bouncycastle.cert.jcajce.JcaX509v2CRLBuilder in project certmgr by hdecarne.

the class X509CRLHelper method generateCRL.

/**
 * Generate a CRL object.
 *
 * @param currentCRL The current CRL object in case of an update (may be {@code null}).
 * @param lastUpdate The last update timestamp to set.
 * @param nextUpdate The next update timestamp to set (may be {@code null}).
 * @param revokeEntries The revoked entries.
 * @param issuerDN The CRL issuer's DN.
 * @param issuerKey The CRL issuer's key pair.
 * @param signatureAlgorithm The signature algorithm to use for signing.
 * @return The generated CRL object.
 * @throws IOException if an error occurs during generation.
 */
public static X509CRL generateCRL(@Nullable X509CRL currentCRL, Date lastUpdate, @Nullable Date nextUpdate, Map<BigInteger, ReasonFlag> revokeEntries, X500Principal issuerDN, KeyPair issuerKey, SignatureAlgorithm signatureAlgorithm) throws IOException {
    LOG.info("CRL generation ''{0}'' started...", issuerDN);
    // Initialize CRL builder
    JcaX509v2CRLBuilder crlBuilder = new JcaX509v2CRLBuilder(issuerDN, lastUpdate);
    if (nextUpdate != null) {
        crlBuilder.setNextUpdate(nextUpdate);
    }
    for (Map.Entry<BigInteger, ReasonFlag> revokeEntry : revokeEntries.entrySet()) {
        crlBuilder.addCRLEntry(revokeEntry.getKey(), lastUpdate, revokeEntry.getValue().value());
    }
    X509CRL crl;
    try {
        // Add extensions
        JcaX509ExtensionUtils extensionUtils = new JcaX509ExtensionUtils();
        crlBuilder.addExtension(Extension.authorityKeyIdentifier, false, extensionUtils.createAuthorityKeyIdentifier(issuerKey.getPublic()));
        BigInteger nextCRLNumber = getNextCRLNumber(currentCRL);
        crlBuilder.addExtension(Extension.cRLNumber, false, new CRLNumber(nextCRLNumber));
        // Sign and create CRL object
        ContentSigner crlSigner = new JcaContentSignerBuilder(signatureAlgorithm.algorithm()).build(issuerKey.getPrivate());
        crl = new JcaX509CRLConverter().getCRL(crlBuilder.build(crlSigner));
    } catch (GeneralSecurityException | OperatorCreationException e) {
        throw new CertProviderException(e);
    }
    LOG.info("CRT generation ''{0}'' done", issuerDN);
    return crl;
}
Also used : JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils) X509CRL(java.security.cert.X509CRL) CRLNumber(org.bouncycastle.asn1.x509.CRLNumber) JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder) GeneralSecurityException(java.security.GeneralSecurityException) ContentSigner(org.bouncycastle.operator.ContentSigner) JcaX509v2CRLBuilder(org.bouncycastle.cert.jcajce.JcaX509v2CRLBuilder) CertProviderException(de.carne.certmgr.certs.CertProviderException) JcaX509CRLConverter(org.bouncycastle.cert.jcajce.JcaX509CRLConverter) BigInteger(java.math.BigInteger) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException) Map(java.util.Map)

Aggregations

CertProviderException (de.carne.certmgr.certs.CertProviderException)1 BigInteger (java.math.BigInteger)1 GeneralSecurityException (java.security.GeneralSecurityException)1 X509CRL (java.security.cert.X509CRL)1 Map (java.util.Map)1 CRLNumber (org.bouncycastle.asn1.x509.CRLNumber)1 JcaX509CRLConverter (org.bouncycastle.cert.jcajce.JcaX509CRLConverter)1 JcaX509ExtensionUtils (org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)1 JcaX509v2CRLBuilder (org.bouncycastle.cert.jcajce.JcaX509v2CRLBuilder)1 ContentSigner (org.bouncycastle.operator.ContentSigner)1 OperatorCreationException (org.bouncycastle.operator.OperatorCreationException)1 JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)1