Example usage for java.security.cert X509CRLSelector X509CRLSelector

List of usage examples for java.security.cert X509CRLSelector X509CRLSelector

Introduction

In this page you can find the example usage for java.security.cert X509CRLSelector X509CRLSelector.

Prototype

public X509CRLSelector() 

Source Link

Document

Creates an X509CRLSelector .

Usage

From source file:mitm.common.security.crl.CRLLocator.java

public List<X509CRL> findCRLs(X509Certificate issuer) throws NoSuchProviderException {
    List<X509CRL> crls = new LinkedList<X509CRL>();

    X509CRLSelector crlSelector = new X509CRLSelector();

    crlSelector.addIssuer(issuer.getSubjectX500Principal());

    /* /*from w  w  w .  ja v  a2  s. c o  m*/
     * step through all the stores and get all the relevant CRLs from the stores
     */
    for (BasicCRLStore store : crlStores) {
        try {
            CloseableIterator<? extends CRL> crlIterator = store.getCRLIterator(crlSelector);

            try {
                while (crlIterator.hasNext()) {
                    CRL crl = crlIterator.next();

                    if (!(crl instanceof X509CRL)) {
                        logger.warn("Only X509CRLs are supported. Skipping this CRL.");

                        continue;
                    }

                    X509CRL x509CRL = (X509CRL) crl;

                    if (acceptCRL(issuer, x509CRL)) {
                        crls.add(x509CRL);
                    }
                }
            } finally {
                crlIterator.close();
            }
        } catch (CRLStoreException e) {
            /* 
             * log and continue search
             * */
            logger.error("Error getting CRLs. Skipping this store.", e);

            continue;
        } catch (CloseableIteratorException e) {
            /* 
             * log and continue search 
             */
            logger.error("Error stepping through the CRL store. Skipping this store.", e);

            continue;
        }
    }

    return crls;
}

From source file:mitm.common.security.crl.CRLStoreMaintainerImpl.java

private CloseableIterator<X509CRL> getCRLsWithSameIssuer(X509CRL crl) throws CRLStoreException {
    Check.notNull(crl, "crl");

    X509CRLSelector crlSelector = new X509CRLSelector();

    crlSelector.setIssuers(Collections.singletonList(crl.getIssuerX500Principal()));

    CloseableIterator<X509CRL> iterator = crlStore.getCRLIterator(crlSelector);

    return iterator;
}

From source file:mitm.common.security.crlstore.hibernate.X509CRLStoreExtHibernateTest.java

@Test
public void testGetAllCRLs() throws Exception {
    // get CRLS does not have a @StartTransaction so auto commit should make no difference
    X509CRLStoreExt crlStore = new X509CRLStoreExtAutoCommitFactory(sessionSource, "test").create();

    addTestCRLs(crlStore);/* ww w .  j  av a 2s . com*/

    X509CRLSelector selector = new X509CRLSelector();

    Collection<? extends CRL> crls = crlStore.getCRLs(selector);

    assertEquals(5, crls.size());
}

From source file:mitm.common.security.crlstore.hibernate.X509CRLStoreExtHibernateTest.java

@Test
public void testGetCRLIterator() throws Exception {
    // get CRLS does not have a @StartTransaction so auto commit should make no difference
    X509CRLStoreExt crlStore = new X509CRLStoreExtAutoCommitFactory(sessionSource, "test").create();

    addTestCRLs(crlStore);//from   w  ww . j a  va2  s .  c  o m

    X509CRLSelector selector = new X509CRLSelector();

    CloseableIterator<? extends CRL> iterator = crlStore.getCRLIterator(selector);

    assertTrue(!iterator.isClosed());

    List<? extends CRL> crls = CloseableIteratorUtils.toList(iterator);

    assertTrue(iterator.isClosed());

    assertEquals(5, crls.size());
}

From source file:mitm.common.security.crlstore.hibernate.X509CRLStoreExtHibernateTest.java

@Test
public void testGetCRLEntryIterator() throws Exception {
    // we should not use the auto commit because the iterator must have a valid transaction
    X509CRLStoreExt crlStore = new X509CRLStoreExtInjectSessionFactory(sessionSource, "test").create();

    Transaction tx = sessionSource.getSession().beginTransaction();

    addTestCRLs(crlStore);/*  w  w  w.j  a  v  a  2s.  c om*/

    X509CRLSelector selector = new X509CRLSelector();

    CloseableIterator<? extends X509CRLStoreEntry> iterator = crlStore.getCRLStoreIterator(selector);

    assertTrue(!iterator.isClosed());

    List<? extends X509CRLStoreEntry> crls = CloseableIteratorUtils.toList(iterator);

    assertTrue(iterator.isClosed());

    assertEquals(5, crls.size());

    tx.commit();

    sessionSource.getSession().close();
}

From source file:mitm.common.security.crl.PKIXRevocationChecker.java

@Override
public RevocationResult getRevocationStatus(CertPath certPath, TrustAnchor trustAnchor, Date now)
        throws CRLException {
    Check.notNull(certPath, "certPath");
    Check.notNull(trustAnchor, "trustAnchor");

    List<? extends Certificate> certificates = certPath.getCertificates();

    RevocationResult revocationResult = new RevocationResultImpl(certificates.size());

    /* //from   ww w.j a  v  a2 s  . c  om
     * Step through all the certificates in the path and check the revocation status of all
     * the certificates in the path.
     */
    for (int i = 0; i < certificates.size(); i++) {
        X509Certificate certificate = toX509Certificate(certificates.get(i));

        PublicKey issuerPublicKey;
        X500Principal issuer;
        X509Certificate issuerCertificate;

        /*
         * we need to get the issuer of the current certificate
         * check if there is a next certificate in the path or that we must use the TrustAnchor
         */
        if ((i + 1) == certificates.size()) {
            /* this was the last entry from the path so we must use the trust anchor */
            if (trustAnchor.getTrustedCert() != null) {
                issuerCertificate = toX509Certificate(trustAnchor.getTrustedCert());
                issuerPublicKey = issuerCertificate.getPublicKey();
                issuer = issuerCertificate.getSubjectX500Principal();
            } else {
                /* the TrustAnchor does not contain a certificate but only an issuer and public key */
                issuerCertificate = null;
                issuerPublicKey = trustAnchor.getCAPublicKey();
                issuer = trustAnchor.getCA();
            }
        } else {
            /* get next entry from path ie. the issuer of the current certificate */
            issuerCertificate = toX509Certificate(certificates.get(i + 1));
            issuerPublicKey = issuerCertificate.getPublicKey();
            issuer = issuerCertificate.getSubjectX500Principal();
        }

        /*
         * sanity check to make sure the CertPath is ordered from end -> final CA
         * ie that the next certificate signed the previous certificate
         */
        verifyCertificate(certificate, issuerPublicKey);

        /* 
         * Sanity check. The issuer principal field of the certificate currently checked should 
         * normally be equal to the issuer principal.
         */
        if (!certificate.getIssuerX500Principal().equals(issuer)) {
            logger.warn("Certificate issuer field is not equal to issuer.");
        }

        if (issuerCertificate != null) {
            Set<KeyUsageType> keyUsage = X509CertificateInspector.getKeyUsage(issuerCertificate);

            /* 
             * check if issuer is allowed to issue CRLs (only when we have an issuerCertificate, and
             * a key usage extension) 
             */
            if (keyUsage != null && !keyUsage.contains(KeyUsageType.CRLSIGN)) {
                logger.debug("Issuer is not allowed to issue CRLs.");

                /*
                 * We will return UNKNOWN status.
                 */
                RevocationDetailImpl detail = new RevocationDetailImpl(RevocationStatus.UNKNOWN);

                revocationResult.getDetails()[i] = detail;

                /* there is no need to continue because issuer is not allowed to issue CRLs */
                break;
            }
        }

        X509CRLSelector crlSelector = new X509CRLSelector();

        /* create a selector to find all relevant CRLs that were issued to the same issuer as the certificate */
        crlSelector.addIssuer(issuer);

        try {
            List<X509CRL> crls = findCRLs(certificate, crlSelector, issuerPublicKey, now);

            RevocationDetail detail = getRevocationDetail(crls, certificate, issuerCertificate, issuerPublicKey,
                    now);

            revocationResult.getDetails()[i] = detail;

            if (detail.getStatus() == RevocationStatus.REVOKED) {
                logger.warn("Certificate is revoked.");

                if (logger.isDebugEnabled()) {
                    logger.debug("Revoked certificate: " + certificate);
                }

                /* there is no need to continue because the CRL is revoked */
                break;
            }
        } catch (NoSuchProviderException e) {
            throw new NoSuchProviderRuntimeException(e);
        }
    }

    if (logger.isDebugEnabled()) {
        logger.debug("Revocation status for CertPath " + certPath + " and TrustAnchor " + trustAnchor + " is "
                + revocationResult);
    }

    return revocationResult;
}

From source file:mitm.common.security.crlstore.hibernate.X509CRLStoreExtHibernateTest.java

@Test
public void testGetCRLEntryIteratorNoCRLs() throws Exception {
    // we should not use the auto commit because the iterator must have a valid transaction
    X509CRLStoreExt crlStore = new X509CRLStoreExtInjectSessionFactory(sessionSource, "test").create();

    Transaction tx = sessionSource.getSession().beginTransaction();

    X509CRLSelector selector = new X509CRLSelector();

    CloseableIterator<? extends X509CRLStoreEntry> iterator = crlStore.getCRLStoreIterator(selector);

    assertTrue(!iterator.isClosed());/*from w ww.  j  av a2 s.  co  m*/

    List<? extends X509CRLStoreEntry> crls = CloseableIteratorUtils.toList(iterator);

    assertTrue(iterator.isClosed());

    assertEquals(0, crls.size());

    tx.commit();

    sessionSource.getSession().close();
}

From source file:mitm.common.security.crl.PKIXRevocationChecker.java

private DeltaCRLStatus getDeltaCRLStatus(X509Certificate targetCertificate, X509CRL deltaCRL,
        PublicKey issuerPublicKey, Date now) throws NoSuchProviderException {
    DeltaCRLStatus status = DeltaCRLStatus.UNKNOWN;

    BigInteger baseCRLNumber;/* ww w.  j  a  va  2 s .  c  o m*/

    try {
        baseCRLNumber = X509CRLInspector.getDeltaIndicator(deltaCRL);
    } catch (IOException e) {
        logger.error("Error getting base CRL number", e);

        return DeltaCRLStatus.UNKNOWN;
    }

    X509CRLSelector crlSelector = new X509CRLSelector();

    /* We need to find a valid base CRL with the same issuer as the delta CRL */
    crlSelector.addIssuer(deltaCRL.getIssuerX500Principal());

    /*
     * we need to find a baseCRL with at least a CRL number specified by the DeltaCRLIndicator in 
     * the delta CRL
     */
    crlSelector.setMinCRLNumber(baseCRLNumber);

    BigInteger deltaCRLNumber = null;

    try {
        deltaCRLNumber = X509CRLInspector.getCRLNumber(deltaCRL);
    } catch (IOException e) {
        logger.error("Error getting CRLNumber extension from the delta CRL.", e);
    }

    if (deltaCRLNumber != null) {
        /*
         * the base CRL we need to find should have a  CRL number less than the delta CRL
         * otherwise it cannot be a base for this delta CRL
         */
        crlSelector.setMaxCRLNumber(deltaCRLNumber.subtract(BigInteger.valueOf(1)));

        List<X509CRL> crls = findCRLs(targetCertificate, crlSelector, issuerPublicKey, now);

        for (X509CRL baseCRL : crls) {
            try {
                if (checkDeltaCRL_6_3_3_b(targetCertificate, deltaCRL, baseCRL)) {
                    status = DeltaCRLStatus.OK;
                    break;
                }
            } catch (IOException e) {
                logger.error("Error executing checkDeltaCRL_6_3_3_b.", e);
                continue;
            }

            if (hasUnsupportedCriticalExtensions(baseCRL)) {
                logger.warn("The base CRL has unsupported critical extensions.");

                status = DeltaCRLStatus.UNSUPPORTED_CRITICAL_EXTENSION;

                continue;
            }
        }
    }

    return status;
}

From source file:org.globus.gsi.CertificateRevocationLists.java

public synchronized void reload(String locations) {

    if (locations == null) {
        return;//from  ww w .  ja v a 2  s.co  m
    }

    StringTokenizer tokens = new StringTokenizer(locations, ",");
    Map<String, X509CRL> newCrlIssuerDNMap = new HashMap<String, X509CRL>();

    while (tokens.hasMoreTokens()) {

        try {
            String location = tokens.nextToken().toString().trim();
            CertStore tmp = Stores.getCRLStore("file:" + location + "/*.r*");
            Collection<X509CRL> coll = (Collection<X509CRL>) tmp.getCRLs(new X509CRLSelector());
            for (X509CRL crl : coll) {
                newCrlIssuerDNMap.put(crl.getIssuerX500Principal().getName(), crl);
            }
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }
    this.crlIssuerDNMap = newCrlIssuerDNMap;
}