List of usage examples for java.security.cert X509CRLEntry getRevocationDate
public abstract Date getRevocationDate();
From source file:MainClass.java
public static void main(String[] args) throws Exception { CertificateFactory cf = CertificateFactory.getInstance("X.509"); FileInputStream in = new FileInputStream(args[0]); X509CRL crl = (X509CRL) cf.generateCRL(in); Set s = crl.getRevokedCertificates(); if (s != null && s.isEmpty() == false) { Iterator t = s.iterator(); while (t.hasNext()) { X509CRLEntry entry = (X509CRLEntry) t.next(); System.out.println("serial number = " + entry.getSerialNumber().toString(16)); System.out.println("revocation date = " + entry.getRevocationDate()); System.out.println("extensions = " + entry.hasExtensions()); }//from ww w . j a va 2s.co m } in.close(); }
From source file:mitm.common.security.crl.X509CRLEntryInspector.java
/** * Returns a string representation of the crlEntry *//*from w w w .j a v a2 s .c o m*/ public static String toString(X509CRLEntry crlEntry) { Date revocationDate = crlEntry.getRevocationDate(); String reason; try { reason = ObjectUtils.toString(getReason(crlEntry), ""); } catch (IOException e) { reason = ""; } return getSerialNumberHex(crlEntry) + "\t" + (revocationDate != null ? DateFormatUtils.ISO_DATE_FORMAT.format(revocationDate) : "") + "\t" + reason; }
From source file:be.fedict.trust.crl.CrlTrustLinker.java
private TrustLinkerResult processCrl(URI crlUri, X509Certificate childCertificate, X509Certificate certificate, Date validationDate, RevocationData revocationData, BigInteger baseCrlNumber) { LOG.debug("CRL URI: " + crlUri); X509CRL x509crl = this.crlRepository.findCrl(crlUri, certificate, validationDate); if (null == x509crl) { return null; }//from w ww. ja va2 s . co m // check CRL integrity boolean crlIntegrityResult = checkCrlIntegrity(x509crl, certificate, validationDate); if (false == crlIntegrityResult) { return null; } // check CRL signature TrustLinkerResult trustResult = TrustValidator.checkSignatureAlgorithm(x509crl.getSigAlgName()); if (!trustResult.isValid()) { return trustResult; } // we don't support indirect CRLs if (isIndirectCRL(x509crl)) { LOG.debug("indirect CRL detected"); return null; } LOG.debug("CRL number: " + getCrlNumber(x509crl)); // check delta CRL indicator against completeCrlNuber if (null != baseCrlNumber) { BigInteger crlNumber = getDeltaCrlIndicator(x509crl); if (!baseCrlNumber.equals(crlNumber)) { LOG.error("Delta CRL indicator (" + crlNumber + ") not equals base CRL number(" + baseCrlNumber + ")"); return null; } } // fill up revocation data if not null with this valid CRL if (null != revocationData) { try { revocationData.getCrlRevocationData().add(new CRLRevocationData(x509crl.getEncoded())); } catch (CRLException e) { LOG.error("CRLException: " + e.getMessage(), e); throw new RuntimeException("CRLException : " + e.getMessage(), e); } } boolean revoked = true; X509CRLEntry crlEntry = x509crl.getRevokedCertificate(childCertificate.getSerialNumber()); if (null == crlEntry) { LOG.debug("CRL OK for: " + childCertificate.getSubjectX500Principal()); revoked = false; } else if (crlEntry.getRevocationDate().after(validationDate)) { LOG.debug("CRL OK for: " + childCertificate.getSubjectX500Principal() + " at " + validationDate); revoked = false; } if (null != x509crl.getExtensionValue(X509Extensions.DeltaCRLIndicator.getId())) { // Delta CRL if (!revoked) return null; } else { // Base CRL, look for delta's List<URI> deltaCrlUris = getDeltaCrlUris(x509crl); if (null != deltaCrlUris) { for (URI deltaCrlUri : deltaCrlUris) { LOG.debug("delta CRL: " + deltaCrlUri.toString()); TrustLinkerResult result = processCrl(deltaCrlUri, childCertificate, certificate, validationDate, revocationData, getCrlNumber(x509crl)); if (null != result) return result; } } } if (!revoked) return new TrustLinkerResult(true); return new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_REVOCATION_STATUS, "certificate revoked by CRL=" + crlEntry.getSerialNumber()); }
From source file:be.fedict.trust.service.dao.bean.CertificateAuthorityDAOBean.java
public void updateRevokedCertificates(Set<X509CRLEntry> revokedCertificates, BigInteger crlNumber, X500Principal crlIssuer, Map<String, RevokedCertificateEntity> revokedCertificatesMap) { LOG.debug("Update " + revokedCertificates.size() + " revoked certificates (crlNumber=" + crlNumber + ")"); for (X509CRLEntry revokedCertificate : revokedCertificates) { X500Principal certificateIssuer = revokedCertificate.getCertificateIssuer(); String issuerName;// ww w. j a v a 2 s . co m if (null == certificateIssuer) { issuerName = crlIssuer.toString(); } else { issuerName = certificateIssuer.toString(); } BigInteger serialNumber = revokedCertificate.getSerialNumber(); Date revocationDate = revokedCertificate.getRevocationDate(); // lookup RevokedCertificateEntity revokedCertificateEntity = revokedCertificatesMap.get(serialNumber.toString()); if (null != revokedCertificateEntity) { // already exists, update revocationDate and crl number revokedCertificateEntity.setRevocationDate(revocationDate); revokedCertificateEntity.setCrlNumber(crlNumber); } else { // don't exist yet, add this.entityManager .persist(new RevokedCertificateEntity(issuerName, serialNumber, revocationDate, crlNumber)); } } }
From source file:be.fedict.trust.service.dao.bean.CertificateAuthorityDAOBean.java
@TransactionAttribute(TransactionAttributeType.REQUIRES_NEW) public void updateRevokedCertificates(Set<X509CRLEntry> revokedCertificates, BigInteger crlNumber, X500Principal crlIssuer) { LOG.debug("Update " + revokedCertificates.size() + " revoked certificates (crlNumber=" + crlNumber + ")"); for (X509CRLEntry revokedCertificate : revokedCertificates) { X500Principal certificateIssuer = revokedCertificate.getCertificateIssuer(); String issuerName;/*from ww w . j a va2 s . co m*/ if (null == certificateIssuer) { issuerName = crlIssuer.toString(); } else { issuerName = certificateIssuer.toString(); } BigInteger serialNumber = revokedCertificate.getSerialNumber(); Date revocationDate = revokedCertificate.getRevocationDate(); // lookup RevokedCertificateEntity revokedCertificateEntity = this.entityManager.find( RevokedCertificateEntity.class, new RevokedCertificatePK(issuerName, serialNumber.toString())); if (null != revokedCertificateEntity) { // already exists, update revocationDate and crl number revokedCertificateEntity.setRevocationDate(revocationDate); revokedCertificateEntity.setCrlNumber(crlNumber); } else { // don't exist yet, add this.entityManager .persist(new RevokedCertificateEntity(issuerName, serialNumber, revocationDate, crlNumber)); } } }
From source file:mitm.common.security.crl.PKIXRevocationChecker.java
private RevocationDetail getRevocationDetail(List<X509CRL> crls, X509Certificate targetCertificate, X509Certificate issuerCertificate, PublicKey issuerPublicKey, Date now) throws NoSuchProviderException { RevocationDetailImpl detail = new RevocationDetailImpl(RevocationStatus.UNKNOWN); boolean validCRLFound = false; int reasonMask = 0; for (X509CRL crl : crls) { BigInteger serialNumber = targetCertificate.getSerialNumber(); X509CRLEntry crlEntry = crl.getRevokedCertificate(serialNumber); Date revocationDate = null; if (crlEntry != null) { revocationDate = crlEntry.getRevocationDate(); if (revocationDate == null || !now.before(revocationDate)) { /*//from ww w . j a v a 2 s .com * X.509 7.3 NOTE 4 When an implementation processing a certificate revocation list does not * recognize a critical extension in the crlEntryExtensions field, it shall assume that, * at a minimum, the identified certificate has been revoked and is no longer valid and * perform additional actions concerning that revoked certificate as dictated by local policy. * * We do not need to check for unsupported critical extension because if we do not support them * we should assume that the certificate is revoked. */ // TODO: add support for onHold/removeFromCRL Integer reasonCode = null; try { reasonCode = X509CRLEntryInspector.getReasonCode(crlEntry); } catch (IOException e) { logger.error("Error retrieving reasonCode.", e); } detail = (reasonCode != null ? new RevocationDetailImpl(RevocationStatus.REVOKED, reasonCode) : new RevocationDetailImpl(RevocationStatus.REVOKED)); /* there is no need to continue because certificate is revoked */ break; } else { if (now.before(revocationDate)) { logger.info("Certificate is revoked in the future."); } } } if (hasUnsupportedCriticalExtensions(crl)) { logger.debug("The CRL has unsupported critical extensions."); detail = new RevocationDetailImpl(RevocationStatus.UNSUPPORTED_CRITICAL_EXTENSION); continue; } /* * check that the start time the CRL is valid is before the time the certificate is * no longer valid. In other words, that the expiration date of the certificate is * later than the date the CRL was issued. It is possible that the certificate was * at some point revoked but the CA removed it because the certificate is no longer * valid */ if (crl.getThisUpdate() != null && targetCertificate.getNotAfter().before(crl.getThisUpdate())) { logger.info("Certificate has expired before the CRL was valid."); continue; } try { if (X509CRLInspector.isDeltaCRL(crl)) { DeltaCRLStatus deltaStatus = getDeltaCRLStatus(targetCertificate, crl, issuerPublicKey, now); if (deltaStatus == DeltaCRLStatus.UNSUPPORTED_CRITICAL_EXTENSION) { detail = new RevocationDetailImpl(RevocationStatus.UNSUPPORTED_CRITICAL_EXTENSION); continue; } else if (deltaStatus == DeltaCRLStatus.UNKNOWN) { continue; } } else { if (!acceptCRL_6_3_3_b(targetCertificate, crl)) { logger.debug("CRL not valid according to acceptCRL_6_3_3_b."); continue; } } } catch (IOException e) { logger.error("Error inspecting CRL.", e); continue; } if (crl.getNextUpdate() != null && now.after(crl.getNextUpdate())) { /* * an CRL cannot really expire but, when we want at least to log that the * nextUpdate is overdue */ logger.debug("The CRL next update is overdue."); /* we need to set the nextUpdate if this is a newer CRL */ if (detail.getStatus() != RevocationStatus.EXPIRED || detail.getNextUpdate() == null) { detail = new RevocationDetailImpl(RevocationStatus.EXPIRED, crl.getNextUpdate()); } else { if (crl.getNextUpdate().after(detail.getNextUpdate())) { /* the nextUpdate of the current CRL is later so it's longer valid */ detail = new RevocationDetailImpl(RevocationStatus.EXPIRED, crl.getNextUpdate()); } } continue; } try { reasonMask = reasonMask | getInterimReasonsMask(targetCertificate, crl); /* a valid crl was found. Continue search. */ validCRLFound = true; } catch (IOException e) { logger.error("Error getting interim mask.", e); } } /* * if one the CRLs was good and the certificate was not revoked we will set the * status to NOT_REVOKED */ if (validCRLFound && detail.getStatus() != RevocationStatus.REVOKED) { /* check if all reasons are covered */ if (reasonMask == allReasons) { detail = new RevocationDetailImpl(RevocationStatus.NOT_REVOKED); } else { logger.debug("Not all reasons were covered."); detail = new RevocationDetailImpl(RevocationStatus.UNKNOWN); } } return detail; }
From source file:org.xdi.oxauth.cert.validation.CRLCertificateVerifier.java
@Override public ValidationStatus validate(X509Certificate certificate, List<X509Certificate> issuers, Date validationDate) {//from w w w . j a v a2s . c o m X509Certificate issuer = issuers.get(0); ValidationStatus status = new ValidationStatus(certificate, issuer, validationDate, ValidatorSourceType.CRL, CertificateValidity.UNKNOWN); try { Principal subjectX500Principal = certificate.getSubjectX500Principal(); String crlURL = getCrlUri(certificate); if (crlURL == null) { log.error("CRL's URL for '" + subjectX500Principal + "' is empty"); return status; } log.debug("CRL's URL for '" + subjectX500Principal + "' is '" + crlURL + "'"); X509CRL x509crl = getCrl(crlURL); if (!validateCRL(x509crl, certificate, issuer, validationDate)) { log.error("The CRL is not valid!"); status.setValidity(CertificateValidity.INVALID); return status; } X509CRLEntry crlEntry = x509crl.getRevokedCertificate(certificate.getSerialNumber()); if (crlEntry == null) { log.debug("CRL status is valid for '" + subjectX500Principal + "'"); status.setValidity(CertificateValidity.VALID); } else if (crlEntry.getRevocationDate().after(validationDate)) { log.warn("CRL revocation time after the validation date, the certificate '" + subjectX500Principal + "' was valid at " + validationDate); status.setRevocationObjectIssuingTime(x509crl.getThisUpdate()); status.setValidity(CertificateValidity.VALID); } else { log.info("CRL for certificate '" + subjectX500Principal + "' is revoked since " + crlEntry.getRevocationDate()); status.setRevocationObjectIssuingTime(x509crl.getThisUpdate()); status.setRevocationDate(crlEntry.getRevocationDate()); status.setValidity(CertificateValidity.REVOKED); } } catch (Exception ex) { log.error("CRL exception: ", ex); } return status; }