Example usage for java.security.cert X509CRL getEncoded

List of usage examples for java.security.cert X509CRL getEncoded

  1. HOME
  2. Java
  3. java
  4. java.security.cert.*
  5. X509CRL
  6. getEncoded

Introduction

In this page you can find the example usage for java.security.cert X509CRL getEncoded.

Prototype

public abstract byte[] getEncoded() throws CRLException;

Source Link

Document

Returns the ASN.1 DER-encoded form of this CRL.

Usage

From source file:org.signserver.module.pdfsigner.PDFSigner.java

/**
 * Calculates an estimate of the PKCS#7 structure size given the provided  
 * input parameters./*  w  w  w  .j  ava  2  s  .c om*/
 *
 * Questions that we need to answer to construct an formula for calculating 
 * a good enough estimate:
 *
 * 1. What are the parameters influencing the PKCS#7 size?
 *    - static or depending on algorithms: PKCS#7 signature size, 
 *    - Certificates list
 *    - CRL list
 *    - OCSP bytes
 *    - timestamp response
 *
 * 2. How much does the size increase when the size of an certificate increases?
 *    - It appears to be at maximum the same increase in size
 *
 * 3. How much does the size increase for each new certificate, not including the certificate size?
 *    - 0. No increase for each certificate except the actual certificate size
 *
 * 4. How much does the size increase when the size of the timestamp responses increases?
 *    - It appears to be at maximum the same increase in size
 *    - However as the response is sent after the signing and possibly 
 *      from an external server we can not be sure about what size it 
 *      will have. We should use a large enough (but reasonable) value that 
 *      it is not so likely that we will have to do a second try.
 * 
 * 5. How much does the size increase when the size of an CRL increases?
 *    - It appears to be the same increase in size most of the times but in
 *      in one case it got 1 byte larger.
 *    - It turns out that the CRLs are included twice (!)
 *    
 * 6. How much does the size increase for each new CRL, not including the CRL size?
 *    - 0. No increase for each CRL except the actual CRL size
 *
 * 7. What is a typical size of an timestamp response?
 *    - That depends mostly on the included certificate chain
 *
 * 8. What value should we use in the initial estimate for the timestamp?
 *    - Currently 4096 is used but with a chain of 4 "normal" certificates
 *      that is a little bit too little.
 *    - Lets use 7168 and there are room for about 6 "normal" certificates
 * 
 * 
 * See also PDFSignerUnitTest for tests that the answers to the questions 
 * above still holds.
 * @param certChain The signing certificate chain
 * @param tsc Timestamp client, this can be null if no timestamp response is used. The contribution is estimated by using a fixed value
 * @param ocsp The OCSP response, can be null
 * @param crlList The list of CRLs included in the signature, this can be null
 * 
 * @return Returns the estimated signature size in bytes
 */
protected int calculateEstimatedSignatureSize(Certificate[] certChain, TSAClient tsc, byte[] ocsp,
        CRL[] crlList) throws SignServerException {
    int estimatedSize = 0;

    if (LOG.isDebugEnabled()) {
        LOG.debug("Calculating estimated signature size");
    }

    for (Certificate cert : certChain) {
        try {
            int certSize = cert.getEncoded().length;
            estimatedSize += certSize;

            if (LOG.isDebugEnabled()) {
                LOG.debug("Adding " + certSize + " bytes for certificate");
            }

        } catch (CertificateEncodingException e) {
            throw new SignServerException("Error estimating signature size contribution for certificate", e);
        }
    }

    if (LOG.isDebugEnabled()) {
        LOG.debug("Total size of certificate chain: " + estimatedSize);
    }

    // add estimate for PKCS#7 structure + hash
    estimatedSize += 2000;

    // add space for OCSP response
    if (ocsp != null) {
        estimatedSize += ocsp.length;

        if (LOG.isDebugEnabled()) {
            LOG.debug("Adding " + ocsp.length + " bytes for OCSP response");
        }
    }

    if (tsc != null) {
        // add guess for timestamp response (which we can't really know)
        // TODO: we might be able to store the size of the last TSA response and re-use next time...
        final int tscSize = 4096;

        estimatedSize += tscSize;

        if (LOG.isDebugEnabled()) {
            LOG.debug("Adding " + tscSize + " bytes for TSA");
        }
    }

    // add estimate for CRL
    if (crlList != null) {
        for (CRL crl : crlList) {
            if (crl instanceof X509CRL) {
                X509CRL x509Crl = (X509CRL) crl;

                try {
                    int crlSize = x509Crl.getEncoded().length;
                    // the CRL is included twice in the signature...
                    estimatedSize += crlSize * 2;

                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Adding " + crlSize * 2 + " bytes for CRL");
                    }

                } catch (CRLException e) {
                    throw new SignServerException("Error estimating signature size contribution for CRL", e);
                }
            }
        }
        estimatedSize += 100;
    }

    return estimatedSize;
}

From source file:org.xdi.oxauth.cert.validation.CRLCertificateVerifier.java

public X509CRL requestCRL(String url)
        throws IOException, MalformedURLException, CertificateException, CRLException {
    HttpURLConnection con = (HttpURLConnection) new URL(url).openConnection();
    try {/*from   www. ja  v a 2 s.  co m*/
        con.setUseCaches(false);

        InputStream in = new BoundedInputStream(con.getInputStream(), maxCrlSize);
        try {
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            X509CRL crl = (X509CRL) certificateFactory.generateCRL(in);
            log.debug("CRL size: " + crl.getEncoded().length + " bytes");

            return crl;
        } finally {
            IOUtils.closeQuietly(in);
        }
    } catch (IOException ex) {
        log.error("Failed to download CRL from '" + url + "'", ex);
    } finally {
        if (con != null) {
            con.disconnect();
        }
    }

    return null;
}

From source file:test.integ.be.fedict.performance.CAConfiguration.java

private void generateCrl() throws Exception {

    DateTime now = new DateTime();
    if (this.crlRefresh > 0) {
        crllGenerateNext = now.plusMinutes(this.crlRefresh);
    } else {//from ww w.j  av  a  2s. c  o  m
        crllGenerateNext = now.plusHours(3);
    }
    crlNextUpdate = now.plusDays(7);

    List<BigInteger> revokedSerialNumbers = new LinkedList<BigInteger>();
    for (long i = 0; i < this.crlRecords; i++) {
        revokedSerialNumbers.add(new BigInteger(Long.toString(i)));
    }

    X509CRL crl = TestUtils.generateCrl(crlNumber, this.keyPair.getPrivate(), certificate, now, crlNextUpdate,
            revokedSerialNumbers);

    this.crlFile = File.createTempFile("crl_" + name + "_", ".crl");
    this.crlFile.deleteOnExit();

    FileOutputStream fos = new FileOutputStream(this.crlFile);
    fos.write(crl.getEncoded());
    fos.close();
}

From source file:test.unit.be.fedict.trust.OnlineCrlRepositoryTest.java

@Test
public void testDownloadCrl() throws Exception {
    // setup/*from  w w w.j a  v  a  2s.  c  o m*/
    KeyPair keyPair = TrustTestUtils.generateKeyPair();
    DateTime notBefore = new DateTime();
    DateTime notAfter = notBefore.plusMonths(1);
    X509Certificate certificate = TrustTestUtils.generateSelfSignedCertificate(keyPair, "CN=Test", notBefore,
            notAfter);
    X509CRL crl = TrustTestUtils.generateCrl(keyPair.getPrivate(), certificate, notBefore, notAfter);
    CrlRepositoryTestServlet.setCrlData(crl.getEncoded());

    // operate
    X509CRL result = this.testedInstance.findCrl(this.crlUri, certificate, this.validationDate);

    // verify
    assertNotNull(result);
    assertArrayEquals(crl.getEncoded(), result.getEncoded());
}