Example 1 with CrlStreamParser
use of org.xipki.security.asn1.CrlStreamParser in project xipki by xipki.
the class CrlStreamParserTest method parseCrlWithNoCrlNumber.
@Test
public void parseCrlWithNoCrlNumber() throws Exception {
Certificate issuerSigner = getIssuerSigner();
CrlStreamParser parser = getParser("no-crlnumber.crl");
Assert.assertEquals("version", 1, parser.getVersion());
Assert.assertEquals("CRL number", null, parser.getCrlNumber());
Assert.assertTrue("signature", parser.verifySignature(issuerSigner.getSubjectPublicKeyInfo()));
int numRevokedCerts = 0;
try (RevokedCertsIterator iterator = parser.revokedCertificates()) {
while (iterator.hasNext()) {
iterator.next();
numRevokedCerts++;
}
}
Assert.assertEquals("#revokedCertificates", 2, numRevokedCerts);
}
Also used :
CrlStreamParser(org.xipki.security.asn1.CrlStreamParser)
RevokedCertsIterator(org.xipki.security.asn1.CrlStreamParser.RevokedCertsIterator)
Certificate(org.bouncycastle.asn1.x509.Certificate)
Test(org.junit.Test)
Example 2 with CrlStreamParser
use of org.xipki.security.asn1.CrlStreamParser in project xipki by xipki.
the class CrlStreamParserTest method parseCrl_revoked.
@Test
public void parseCrl_revoked() throws Exception {
Certificate issuerSigner = getIssuerSigner();
CrlStreamParser parser = getParser("revoked-certs.crl");
Assert.assertEquals("version", 1, parser.getVersion());
Assert.assertEquals("CRL number", BigInteger.valueOf(1), parser.getCrlNumber());
Assert.assertTrue("signature", parser.verifySignature(issuerSigner.getSubjectPublicKeyInfo()));
int numRevokedCerts = 0;
try (RevokedCertsIterator iterator = parser.revokedCertificates()) {
while (iterator.hasNext()) {
iterator.next();
numRevokedCerts++;
}
}
Assert.assertEquals("#revokedCertificates", 2, numRevokedCerts);
}
Also used :
CrlStreamParser(org.xipki.security.asn1.CrlStreamParser)
RevokedCertsIterator(org.xipki.security.asn1.CrlStreamParser.RevokedCertsIterator)
Certificate(org.bouncycastle.asn1.x509.Certificate)
Test(org.junit.Test)
Example 3 with CrlStreamParser
use of org.xipki.security.asn1.CrlStreamParser in project xipki by xipki.
the class CrlStreamParserTest method parseCrlWithNoExtension.
@Test
public void parseCrlWithNoExtension() throws Exception {
Certificate issuerSigner = getIssuerSigner();
CrlStreamParser parser = getParser("no-extensions.crl");
Assert.assertEquals("version", 1, parser.getVersion());
Assert.assertEquals("CRL number", null, parser.getCrlNumber());
Assert.assertTrue("signature", parser.verifySignature(issuerSigner.getSubjectPublicKeyInfo()));
int numRevokedCerts = 0;
try (RevokedCertsIterator iterator = parser.revokedCertificates()) {
while (iterator.hasNext()) {
iterator.next();
numRevokedCerts++;
}
}
Assert.assertEquals("#revokedCertificates", 2, numRevokedCerts);
}
Also used :
CrlStreamParser(org.xipki.security.asn1.CrlStreamParser)
RevokedCertsIterator(org.xipki.security.asn1.CrlStreamParser.RevokedCertsIterator)
Certificate(org.bouncycastle.asn1.x509.Certificate)
Test(org.junit.Test)
Example 4 with CrlStreamParser
use of org.xipki.security.asn1.CrlStreamParser in project xipki by xipki.
the class CrlStreamParserTest method parseCrlWithInvalidityDate.
@Test
public void parseCrlWithInvalidityDate() throws Exception {
Certificate issuerSigner = getIssuerSigner();
CrlStreamParser parser = getParser("invaliditydate.crl");
Assert.assertEquals("version", 1, parser.getVersion());
Assert.assertEquals("CRL number", BigInteger.valueOf(1), parser.getCrlNumber());
Assert.assertTrue("signature", parser.verifySignature(issuerSigner.getSubjectPublicKeyInfo()));
int numRevokedCerts = 0;
try (RevokedCertsIterator iterator = parser.revokedCertificates()) {
while (iterator.hasNext()) {
iterator.next();
numRevokedCerts++;
}
}
Assert.assertEquals("#revokedCertificates", 1, numRevokedCerts);
}
Also used :
CrlStreamParser(org.xipki.security.asn1.CrlStreamParser)
RevokedCertsIterator(org.xipki.security.asn1.CrlStreamParser.RevokedCertsIterator)
Certificate(org.bouncycastle.asn1.x509.Certificate)
Test(org.junit.Test)
Example 5 with CrlStreamParser
use of org.xipki.security.asn1.CrlStreamParser in project xipki by xipki.
the class ImportCrl method importCrl.
// method importCrlToOcspDb
private void importCrl(Connection conn, CrlDirInfo crlDirInfo) {
File crlDir = crlDirInfo.crlDir;
File generatedDir = new File(crlDir, ".generated");
generatedDir.mkdirs();
// Delete the files UPDATE.SUCC and UPDATE.FAIL
IoUtil.deleteFile(new File(generatedDir, "UPDATEME.SUCC"));
IoUtil.deleteFile(new File(generatedDir, "UPDATEME.FAIL"));
long startTimeSec = System.currentTimeMillis() / 1000;
int id = crlDirInfo.crlId;
String crlName = crlDirInfo.crlName;
boolean updateSucc = false;
CertWrapper caCert = null;
try {
LOG.info("Importing CRL (id={}, name={}) in the folder {}", id, crlName, crlDir.getPath());
File caCertFile = new File(crlDir, "ca.crt");
try {
X509Cert cert = X509Util.parseCert(caCertFile);
caCert = new CertWrapper(cert);
} catch (CertificateException ex) {
LOG.error("could not parse CA certificate " + caCertFile.getPath(), ex);
return;
}
CrlStreamParser crl = null;
CrlInfo crlInfo = null;
if (!crlDirInfo.deleteMe && crlDirInfo.revocationinfo == null) {
crl = new CrlStreamParser(crlDirInfo.crlFile);
Date now = new Date();
if (crl.getNextUpdate() != null && crl.getNextUpdate().before(now)) {
if (ignoreExpiredCrls) {
LOG.error("CRL is expired, ignore it");
return;
}
} else if (crl.getThisUpdate().after(now)) {
LOG.error("CRL is not valid yet, ignore it");
return;
}
X500Name issuer = crl.getIssuer();
X509Cert crlSignerCert;
if (caCert.subject.equals(issuer)) {
crlSignerCert = caCert.cert;
} else {
X509Cert crlIssuerCert = null;
File issuerCertFile = new File(crlDir, "issuer.crt");
if (issuerCertFile.exists()) {
crlIssuerCert = parseCert(issuerCertFile);
}
if (crlIssuerCert == null) {
LOG.error("issuerCert may not be null");
return;
}
if (!crlIssuerCert.getSubject().equals(issuer)) {
LOG.error("issuerCert and CRL do not match");
return;
}
crlSignerCert = crlIssuerCert;
}
if (crl.getCrlNumber() == null) {
LOG.error("crlNumber is not specified, ignore the CRL");
return;
}
LOG.info("The CRL is a {}", crl.isDeltaCrl() ? "DeltaCRL" : "FullCRL");
File urlFile = new File(basedir, "crl.url");
// Construct CrlID
ASN1EncodableVector vec = new ASN1EncodableVector();
if (crlDirInfo.crlDownloded) {
File crlDownloadFile = new File(basedir, "crl.download");
Properties props = CrlDbCertStatusStore.loadProperties(crlDownloadFile);
String crldp = props.getProperty("crldp");
if (StringUtil.isNotBlank(crldp)) {
vec.add(new DERTaggedObject(true, 0, new DERIA5String(crldp, true)));
}
if (urlFile.exists()) {
LOG.warn("use {} only, ignore {}", crlDownloadFile.getPath(), urlFile.getPath());
}
} else {
if (urlFile.exists()) {
String crlUrl = StringUtil.toUtf8String(IoUtil.read(urlFile)).trim();
if (StringUtil.isNotBlank(crlUrl)) {
vec.add(new DERTaggedObject(true, 0, new DERIA5String(crlUrl, true)));
}
}
}
vec.add(new DERTaggedObject(true, 1, new ASN1Integer(crl.getCrlNumber())));
vec.add(new DERTaggedObject(true, 2, new ASN1GeneralizedTime(crl.getThisUpdate())));
CrlID crlId = CrlID.getInstance(new DERSequence(vec));
BigInteger crlNumber = crl.getCrlNumber();
BigInteger baseCrlNumber = crl.getBaseCrlNumber();
String str = datasource.getFirstStringValue(conn, "CRL_INFO", "INFO", "ID='" + id + "'");
boolean addNew = str == null;
if (addNew) {
if (crl.isDeltaCrl()) {
LOG.error("Given CRL is a DeltaCRL for the full CRL with number {}, " + "please import this full CRL first.", baseCrlNumber);
return;
}
} else {
CrlInfo oldCrlInfo = new CrlInfo(str);
if (crlNumber.compareTo(oldCrlInfo.getCrlNumber()) < 0) {
// It is permitted if the CRL number equals to the one in Database.
// This enables the resume of importing process if error occurred.
LOG.error("Given CRL is older than existing CRL, ignore it");
return;
}
if (crl.isDeltaCrl()) {
BigInteger lastFullCrlNumber = oldCrlInfo.getBaseCrlNumber();
if (lastFullCrlNumber == null) {
lastFullCrlNumber = oldCrlInfo.getCrlNumber();
}
if (!baseCrlNumber.equals(lastFullCrlNumber)) {
LOG.error("Given CRL is a deltaCRL for the full CRL with number {}, " + "please import this full CRL first.", crlNumber);
return;
}
}
}
// Verify the signature
if (!crl.verifySignature(crlSignerCert.getSubjectPublicKeyInfo())) {
LOG.error("signature of CRL is invalid, ignore the CRL");
return;
}
crlInfo = new CrlInfo(crlNumber, baseCrlNumber, crl.getThisUpdate(), crl.getNextUpdate(), crlId);
}
if (crlDirInfo.deleteMe) {
deleteCa(conn, crlDirInfo, caCert);
} else {
importCa(conn, crlDirInfo, caCert);
}
commit(conn);
if (crl == null) {
LOG.info("Ignored CRL (name={}) in the folder {}: CA is revoked", crlName, crlDir.getPath());
} else {
importCrlInfo(conn, id, crlName, crlInfo, crlDirInfo.shareCaWithOtherCrl, caCert.base64Sha1Fp);
commit(conn);
importCrlRevokedCertificates(conn, id, caCert, crl, crlDir, startTimeSec);
commit(conn);
if (!crl.isDeltaCrl()) {
deleteEntriesNotUpdatedSince(conn, id, startTimeSec);
commit(conn);
}
}
if (crlDirInfo.crlDownloded) {
crlDirInfo.crlFile.renameTo(new File(generatedDir, "ca.crl"));
File newCrlFpFile = new File(generatedDir, "new-ca.crl.fp");
String hashInfo = new String(IoUtil.read(newCrlFpFile));
String info = "crlnumber=" + crlInfo.getCrlNumber().toString() + "\nnextupdate=" + DateUtil.toUtcTimeyyyyMMddhhmmss(crlInfo.getNextUpdate()) + "\nhash=" + hashInfo;
IoUtil.save(new File(generatedDir, "ca.crl.info"), info.getBytes(StandardCharsets.UTF_8));
newCrlFpFile.delete();
}
updateSucc = true;
LOG.info("Imported CRL (id={}) in the folder {}", id, crlDir.getPath());
} catch (Throwable th) {
LOG.error(String.format("Importing CRL (id=%s) in the folder %s FAILED", id, crlDir.getPath()), th);
} finally {
try {
commit(conn);
} catch (Throwable th) {
LOG.error(String.format("Importing CRL (id=%s) in the folder %s FAILED (Connect.commit)", id, crlDir.getPath()), th);
}
crlDirInfo.updatemeFile.setLastModified(System.currentTimeMillis());
crlDirInfo.updatemeFile.renameTo(new File(generatedDir, "UPDATEME." + (updateSucc ? "SUCC" : "FAIL")));
if (!updateSucc && caCert != null) {
if (!crlDirInfo.shareCaWithOtherCrl && caCert.databaseId != null) {
// try to delete the issuer if no certificate is associated with it
try {
datasource.deleteFromTableWithException(conn, "ISSUER", "ID", caCert.databaseId);
} catch (Throwable th) {
LOG.warn("error deleting from table ISSUER for ID {}", caCert.databaseId);
}
}
}
if (!updateSucc && crlDirInfo.crlDownloded & crlDirInfo.crlFile.exists()) {
crlDirInfo.crlFile.renameTo(new File(generatedDir, "INVALID-new-ca.crl"));
}
}
}
Also used :
CertificateException(java.security.cert.CertificateException)
X500Name(org.bouncycastle.asn1.x500.X500Name)
Date(java.util.Date)
CrlStreamParser(org.xipki.security.asn1.CrlStreamParser)
X509Cert(org.xipki.security.X509Cert)
BigInteger(java.math.BigInteger)
File(java.io.File)
CrlID(org.bouncycastle.asn1.ocsp.CrlID)
Aggregations
CrlStreamParser (org.xipki.security.asn1.CrlStreamParser)7
RevokedCertsIterator (org.xipki.security.asn1.CrlStreamParser.RevokedCertsIterator)6
Certificate (org.bouncycastle.asn1.x509.Certificate)5
Test (org.junit.Test)5
BigInteger (java.math.BigInteger)3
File (java.io.File)2
CertificateException (java.security.cert.CertificateException)2
X500Name (org.bouncycastle.asn1.x500.X500Name)2
X509Cert (org.xipki.security.X509Cert)2
BufferedReader (java.io.BufferedReader)1
FileReader (java.io.FileReader)1
IOException (java.io.IOException)1
Date (java.util.Date)1
AtomicLong (java.util.concurrent.atomic.AtomicLong)1
CrlID (org.bouncycastle.asn1.ocsp.CrlID)1
RevokedCert (org.xipki.security.asn1.CrlStreamParser.RevokedCert)1
SslContextConf (org.xipki.util.http.SslContextConf)1
