List of usage examples for java.security.cert X509CRL getNextUpdate
public abstract Date getNextUpdate();
From source file:MainClass.java
public static void main(String[] args) throws Exception { CertificateFactory cf = CertificateFactory.getInstance("X.509"); FileInputStream in = new FileInputStream(args[0]); X509CRL crl = (X509CRL) cf.generateCRL(in); System.out.println("type = " + crl.getType()); System.out.println("version = " + crl.getVersion()); System.out.println("issuer = " + crl.getIssuerDN().getName()); System.out.println("signing algorithm = " + crl.getSigAlgName()); System.out.println("this update = " + crl.getThisUpdate()); System.out.println("next update = " + crl.getNextUpdate()); in.close();// ww w .j av a 2s. c o m }
From source file:org.jasig.cas.adaptors.x509.util.CertUtils.java
/** * Determines whether the given CRL is expired by comparing the nextUpdate field * with a given date.//from ww w.jav a 2s . c o m * * @param crl CRL to examine. * @param reference Reference date for comparison. * * @return True if reference date is after CRL next update, false otherwise. */ public static boolean isExpired(final X509CRL crl, final Date reference) { return reference.after(crl.getNextUpdate()); }
From source file:mitm.common.security.crl.X509CRLInspector.java
/** * Returns true if nextUpdate is before the current date *///from ww w .jav a 2 s .c o m public static boolean isExpired(X509CRL crl) { boolean expired = false; Date now = new Date(); expired = crl.getNextUpdate() != null && now.after(crl.getNextUpdate()); return expired; }
From source file:be.fedict.trust.crl.CrlTrustLinker.java
/** * Checks the integrity of the given X509 CRL. * /*from w w w . j ava2s . c om*/ * @param x509crl * the X509 CRL to verify the integrity. * @param issuerCertificate * the assumed issuer of the given X509 CRL. * @param validationDate * the validate date. * @return <code>true</code> if integrity is OK, <code>false</code> * otherwise. */ public static boolean checkCrlIntegrity(X509CRL x509crl, X509Certificate issuerCertificate, Date validationDate) { if (false == x509crl.getIssuerX500Principal().equals(issuerCertificate.getSubjectX500Principal())) { return false; } try { x509crl.verify(issuerCertificate.getPublicKey()); } catch (Exception e) { return false; } Date thisUpdate = x509crl.getThisUpdate(); LOG.debug("validation date: " + validationDate); LOG.debug("CRL this update: " + thisUpdate); if (thisUpdate.after(validationDate)) { LOG.warn("CRL too young"); return false; } LOG.debug("CRL next update: " + x509crl.getNextUpdate()); if (validationDate.after(x509crl.getNextUpdate())) { LOG.debug("CRL too old"); return false; } // assert cRLSign KeyUsage bit if (null == issuerCertificate.getKeyUsage()) { LOG.debug("No KeyUsage extension for CRL issuing certificate"); return false; } if (false == issuerCertificate.getKeyUsage()[6]) { LOG.debug("cRLSign bit not set for CRL issuing certificate"); return false; } return true; }
From source file:eu.europa.ec.markt.dss.validation.crl.JdbcCacheCRLSource.java
@Override public X509CRL findCrl(X509Certificate certificate, X509Certificate issuerCertificate) throws IOException { OnlineCRLSource source = new OnlineCRLSource(); String crlUrl = source.getCrlUri(certificate); if (crlUrl != null) { try {// w w w . j a va 2s. c om MessageDigest digest = MessageDigest.getInstance(DigestAlgorithm.SHA1.getName()); String key = Hex.encodeHexString(digest.digest(crlUrl.getBytes())); List<CachedCRL> crls = getJdbcTemplate().query("SELECT * FROM CACHED_CRL WHERE ID = ?", new Object[] { key }, new RowMapper<CachedCRL>() { @Override public CachedCRL mapRow(ResultSet rs, int rowNum) throws SQLException { CachedCRL cached = new CachedCRL(); cached.setKey(rs.getString("ID")); cached.setCrl(rs.getBytes("DATA")); return cached; } }); if (crls.size() == 0) { LOG.info("CRL not in cache"); X509CRL originalCRL = cachedSource.findCrl(certificate, issuerCertificate); if (originalCRL != null) { getJdbcTemplate().update("INSERT INTO CACHED_CRL (ID, DATA) VALUES (?,?) ", key, originalCRL.getEncoded()); return originalCRL; } else { return null; } } CachedCRL crl = crls.get(0); CertificateFactory factory = CertificateFactory.getInstance("X509"); X509CRL x509crl = (X509CRL) factory.generateCRL(new ByteArrayInputStream(crl.getCrl())); if (x509crl.getNextUpdate().after(new Date())) { LOG.fine("CRL in cache"); return x509crl; } else { LOG.info("CRL expired"); X509CRL originalCRL = cachedSource.findCrl(certificate, issuerCertificate); getJdbcTemplate().update("UPDATE CACHED_CRL SET DATA = ? WHERE ID = ? ", originalCRL.getEncoded(), key); return originalCRL; } } catch (NoSuchAlgorithmException e) { LOG.info("Cannot instantiate digest for algorithm SHA1 !?"); } catch (CRLException e) { LOG.info("Cannot serialize CRL"); } catch (CertificateException e) { LOG.info("Cannot instanciate X509 Factory"); } } return null; }
From source file:be.fedict.trust.crl.CachedCrlRepository.java
public X509CRL findCrl(URI crlUri, X509Certificate issuerCertificate, Date validationDate) { SoftReference<X509CRL> crlRef = this.crlCache.get(crlUri); if (null == crlRef) { LOG.debug("no CRL entry found: " + crlUri); return refreshCrl(crlUri, issuerCertificate, validationDate); }//from ww w . j a v a 2s. c om X509CRL crl = crlRef.get(); if (null == crl) { LOG.debug("CRL garbage collected: " + crlUri); return refreshCrl(crlUri, issuerCertificate, validationDate); } if (validationDate.after(crl.getNextUpdate())) { LOG.debug("CRL no longer valid: " + crlUri); LOG.debug("validation date: " + validationDate); LOG.debug("CRL next update: " + crl.getNextUpdate()); return refreshCrl(crlUri, issuerCertificate, validationDate); } /* * The Belgian PKI the nextUpdate CRL extension indicates 7 days. The * actual CRL refresh rate is every 3 hours. So it's a bit dangerous to * only base the CRL cache refresh strategy on the nextUpdate field as * indicated by the CRL. */ Date thisUpdate = crl.getThisUpdate(); DateTime cacheMaturityDateTime = new DateTime(thisUpdate).plusHours(this.cacheAgingHours); if (validationDate.after(cacheMaturityDateTime.toDate())) { LOG.debug("refreshing the CRL cache: " + crlUri); return refreshCrl(crlUri, issuerCertificate, validationDate); } LOG.debug("using cached CRL: " + crlUri); return crl; }
From source file:eu.europa.esig.dss.client.crl.JdbcCacheCRLSource.java
@Override public CRLToken findCrl(final CertificateToken certificateToken) throws DSSException { if (certificateToken == null) { return null; }/*from ww w .j av a 2 s .co m*/ final CertificateToken issuerToken = certificateToken.getIssuerToken(); if (issuerToken == null) { return null; } final List<String> crlUrls = cachedSource.getCrlUrl(certificateToken); if (CollectionUtils.isEmpty(crlUrls)) { return null; } final String crlUrl = crlUrls.get(0); LOG.info("CRL's URL for " + certificateToken.getAbbreviation() + " : " + crlUrl); try { final String key = DSSUtils.getSHA1Digest(crlUrl); final CachedCRL dbCrl = findCrlInDB(key); if (dbCrl != null) { X509CRL x509Crl = DSSUtils.loadCRL(dbCrl.getCrl()); if (x509Crl.getNextUpdate().after(new Date())) { LOG.debug("CRL in cache"); final CRLValidity crlValidity = CRLUtils.isValidCRL(x509Crl, issuerToken); final CRLToken crlToken = new CRLToken(certificateToken, crlValidity); if (crlToken.isValid()) { return crlToken; } } } final CRLToken crlToken = cachedSource.findCrl(certificateToken); if ((crlToken != null) && crlToken.isValid()) { if (dbCrl == null) { LOG.info("CRL not in cache"); insertCrlInDb(key, crlToken.getEncoded()); } else { LOG.debug("CRL expired"); updateCrlInDb(key, crlToken.getEncoded()); } } return crlToken; } catch (SQLException e) { LOG.info("Error with the cache data store"); } return null; }
From source file:mitm.common.security.crl.GenerateTestCRLs.java
@Test public void testGenerateCACRLNoNextUpdate() throws Exception { X509CRLBuilder crlGenerator = createX509CRLBuilder(); Date thisDate = TestUtils.parseDate("30-Nov-2007 11:38:35 GMT"); crlGenerator.setThisUpdate(thisDate); crlGenerator.setSignatureAlgorithm("SHA256WithRSAEncryption"); X509Certificate certificate = TestUtils .loadCertificate("test/resources/testdata/certificates/" + "valid_certificate_mitm_test_ca.cer"); assertNotNull(certificate);/*from w w w . j a v a2 s .c om*/ crlGenerator.addCRLEntry(certificate.getSerialNumber(), thisDate, CRLReason.privilegeWithdrawn); X509CRL crl = crlGenerator.generateCRL(new KeyAndCertificateImpl(caPrivateKey, caCertificate)); assertEquals("EMAILADDRESS=ca@example.com, CN=MITM Test CA, L=Amsterdam, ST=NH, C=NL", crl.getIssuerX500Principal().toString()); assertEquals(thisDate, crl.getThisUpdate()); assertEquals(null, crl.getNextUpdate()); assertEquals(1, crl.getRevokedCertificates().size()); assertTrue(crl.isRevoked(certificate)); File crlFile = new File("test/tmp/test-generate-ca-no-next-update.crl"); FileOutputStream fos = new FileOutputStream(crlFile); IOUtils.write(crl.getEncoded(), fos); fos.close(); }
From source file:mitm.common.security.crl.GenerateTestCRLs.java
@Test public void testGenerateCACRL() throws Exception { X509CRLBuilder crlGenerator = createX509CRLBuilder(); Date thisDate = TestUtils.parseDate("30-Nov-2007 11:38:35 GMT"); Date nextDate = TestUtils.parseDate("30-Nov-2027 11:38:35 GMT"); crlGenerator.setThisUpdate(thisDate); crlGenerator.setNextUpdate(nextDate); crlGenerator.setSignatureAlgorithm("SHA256WithRSAEncryption"); X509Certificate certificate = TestUtils .loadCertificate("test/resources/testdata/certificates/" + "valid_certificate_mitm_test_ca.cer"); assertNotNull(certificate);/*from w w w .j a v a2s .co m*/ crlGenerator.addCRLEntry(certificate.getSerialNumber(), thisDate, CRLReason.privilegeWithdrawn); X509CRL crl = crlGenerator.generateCRL(new KeyAndCertificateImpl(caPrivateKey, caCertificate)); assertEquals("EMAILADDRESS=ca@example.com, CN=MITM Test CA, L=Amsterdam, ST=NH, C=NL", crl.getIssuerX500Principal().toString()); assertEquals(thisDate, crl.getThisUpdate()); assertEquals(nextDate, crl.getNextUpdate()); assertEquals(1, crl.getRevokedCertificates().size()); assertTrue(crl.isRevoked(certificate)); File crlFile = new File("test/tmp/test-generate-ca.crl"); FileOutputStream fos = new FileOutputStream(crlFile); IOUtils.write(crl.getEncoded(), fos); fos.close(); }
From source file:mitm.common.security.crl.GenerateTestCRLs.java
@Test public void testGenerateCACRLThisUpdateInFarFuture() throws Exception { X509CRLBuilder crlGenerator = createX509CRLBuilder(); Date thisDate = TestUtils.parseDate("30-Nov-2030 11:38:35 GMT"); Date nextDate = TestUtils.parseDate("30-Nov-2040 11:38:35 GMT"); crlGenerator.setThisUpdate(thisDate); crlGenerator.setNextUpdate(nextDate); crlGenerator.setSignatureAlgorithm("SHA256WithRSAEncryption"); X509Certificate certificate = TestUtils .loadCertificate("test/resources/testdata/certificates/" + "valid_certificate_mitm_test_ca.cer"); assertNotNull(certificate);/* w w w .j a v a 2 s .c o m*/ Date revocationDate = TestUtils.parseDate("30-Nov-2006 11:38:35 GMT"); crlGenerator.addCRLEntry(certificate.getSerialNumber(), revocationDate, CRLReason.keyCompromise); X509CRL crl = crlGenerator.generateCRL(new KeyAndCertificateImpl(caPrivateKey, caCertificate)); assertEquals("EMAILADDRESS=ca@example.com, CN=MITM Test CA, L=Amsterdam, ST=NH, C=NL", crl.getIssuerX500Principal().toString()); assertEquals(thisDate, crl.getThisUpdate()); assertEquals(nextDate, crl.getNextUpdate()); assertEquals(1, crl.getRevokedCertificates().size()); assertTrue(crl.isRevoked(certificate)); File crlFile = new File("test/tmp/testgeneratecacrlthisupdateinfarfuture.crl"); FileOutputStream fos = new FileOutputStream(crlFile); IOUtils.write(crl.getEncoded(), fos); fos.close(); }