List of usage examples for org.bouncycastle.asn1.x509 Certificate getIssuer
public X500Name getIssuer()
From source file:net.wstech2.me.httpsclient.CertificateValidatorUtils.java
License:Apache License
/** * /*from w w w . ja va2 s . c om*/ * Prints common certificate informations like signature, signature * algorithm, subject and issuer details, etc. * * @param cert * The X509CertificateStructure containing the information that * will be printed. * */ public static void printCertificateDetails(org.bouncycastle.asn1.x509.Certificate cert) { HttpsConnectionUtils.logDebug( "BEGIN CERTIFICATE DUMP FOR:[[" + CertificateValidatorUtils.extractCommonName(cert, true) + "]]"); HttpsConnectionUtils.logDebug("Certificate Signature:[[" + cert.getSignature().toString() + "]]"); HttpsConnectionUtils.logDebug( "Certificate Signature Algorithm OID:[[" + cert.getSignatureAlgorithm().getAlgorithm() + "]]"); HttpsConnectionUtils.logDebug("Certificate Subject Info:[[" + cert.getSubject().toString() + "]]"); HttpsConnectionUtils .logDebug("Certificate Subject common name (CN):[[" + extractCommonName(cert, false) + "]]"); HttpsConnectionUtils .logDebug("Certificate Subject short common name (CN):[[" + extractCommonName(cert, true) + "]]"); HttpsConnectionUtils.logDebug("Certificate Issuer Info:[[" + cert.getIssuer() + "]]"); HttpsConnectionUtils.logDebug("Certificate Start Date:[[" + cert.getStartDate().getTime() + "]]"); HttpsConnectionUtils.logDebug("Certificate End Date:[[" + cert.getEndDate().getTime() + "]]"); HttpsConnectionUtils.logDebug("Certificate ASN.1 Dump:[[" + ASN1Dump.dumpAsString(cert, true) + "]]"); HttpsConnectionUtils.logDebug( "END CERTIFICATE DUMP FOR:[[" + CertificateValidatorUtils.extractCommonName(cert, true) + "]]"); }
From source file:net.wstech2.me.httpsclient.CertificateValidatorUtils.java
License:Apache License
/** * Retrieves the issuer common name./*from ww w .j ava 2 s . co m*/ * * @param cert * The certificate from which the issuer name is to the * extracted. * @return The issuer common name. */ public static String extractIssuerName(org.bouncycastle.asn1.x509.Certificate cert) { return HttpsConnectionUtils.replace(cert.getIssuer().toString(), "\\,", ","); }
From source file:org.codice.ddf.security.ocsp.checker.OcspChecker.java
License:Open Source License
/** * Returns an {@link X509CertificateHolder} containing the issuer of the passed in {@param cert}. * Search is performed in the system truststore. * * @param cert - the {@link Certificate} to get the issuer from. * @return {@link X509CertificateHolder} containing the issuer of the passed in {@param cert}. * @throws OcspCheckerException if the issuer cannot be resolved. *//* w w w . j a v a 2 s .c o m*/ private X509CertificateHolder resolveIssuerCertificate(Certificate cert) throws OcspCheckerException { X500Name issuerName = cert.getIssuer(); String trustStorePath = AccessController .doPrivileged((PrivilegedAction<String>) SecurityConstants::getTruststorePath); String trustStorePass = AccessController .doPrivileged((PrivilegedAction<String>) SecurityConstants::getTruststorePassword); if (isBlank(trustStorePath) || isBlank(trustStorePass)) { throw new OcspCheckerException("Problem retrieving truststore properties." + NOT_VERIFIED_MSG); } KeyStore truststore; try (InputStream truststoreInputStream = new FileInputStream(trustStorePath)) { truststore = SecurityConstants.newTruststore(); truststore.load(truststoreInputStream, trustStorePass.toCharArray()); SecurityLogger.audit("Truststore on path {} was read by {}.", trustStorePath, this.getClass().getSimpleName()); } catch (CertificateException | IOException | KeyStoreException | NoSuchAlgorithmException e) { throw new OcspCheckerException(String.format("Problem loading truststore on path %s", trustStorePath), e); } try { return getCertFromTruststoreWithX500Name(issuerName, truststore); } catch (OcspCheckerException e) { throw new OcspCheckerException( "Problem finding the certificate issuer in truststore." + NOT_VERIFIED_MSG, e); } }
From source file:org.xipki.ca.client.shell.loadtest.CALoadTestRevoke.java
License:Open Source License
public CALoadTestRevoke(final CAClient caClient, final Certificate caCert, final DataSourceWrapper caDataSource, final int maxCerts, final int n) throws Exception { ParamChecker.assertNotNull("caClient", caClient); ParamChecker.assertNotNull("caCert", caCert); ParamChecker.assertNotNull("caDataSource", caDataSource); if (n < 1) { throw new IllegalArgumentException("non-positive n " + n + " is not allowed"); }/*www. j a v a 2s . com*/ this.n = n; this.caClient = caClient; this.caDataSource = caDataSource; this.caSubject = caCert.getSubject(); this.maxCerts = maxCerts; if (caCert.getIssuer().equals(caCert.getSubject())) { this.excludeSerials.add(caCert.getSerialNumber().getPositiveValue().longValue()); } String sha1Fp = SecurityUtil.sha1sum(caCert.getEncoded()); String sql = "SELECT ID FROM CS_CA WHERE FP_CERT='" + sha1Fp + "'"; Statement stmt = caDataSource.getConnection().createStatement(); try { ResultSet rs = stmt.executeQuery(sql); if (rs.next()) { caInfoId = rs.getInt("ID"); } else { throw new Exception("CA Certificate and database configuration does not match"); } rs.close(); sql = "SELECT MIN(SERIAL) FROM CERT WHERE REVOKED=0 AND CA_ID=" + caInfoId; rs = stmt.executeQuery(sql); rs.next(); minSerial = rs.getLong(1); nextStartSerial = minSerial; sql = "SELECT MAX(SERIAL) FROM CERT WHERE REVOKED=0 AND CA_ID=" + caInfoId; rs = stmt.executeQuery(sql); rs.next(); maxSerial = rs.getLong(1); } finally { caDataSource.releaseResources(stmt, null); } }
From source file:org.xipki.commons.security.shell.CertInfoCmd.java
License:Open Source License
@Override protected Object doExecute() throws Exception { Certificate cert = Certificate.getInstance(IoUtil.read(inFile)); if (serial != null && serial) { return getNumber(cert.getSerialNumber().getPositiveValue()); } else if (subject != null && subject) { return cert.getSubject().toString(); } else if (issuer != null && issuer) { return cert.getIssuer().toString(); } else if (notBefore != null && notBefore) { return toUtcTimeyyyyMMddhhmmssZ(cert.getStartDate().getDate()); } else if (notAfter != null && notAfter) { return toUtcTimeyyyyMMddhhmmssZ(cert.getEndDate().getDate()); } else if (fingerprint != null && fingerprint) { byte[] encoded = cert.getEncoded(); return HashAlgoType.getHashAlgoType(hashAlgo).hexHash(encoded); }/*from w w w . j a va 2 s.com*/ return null; }
From source file:org.xipki.ocsp.server.impl.certstore.CrlCertStatusStore.java
License:Open Source License
private synchronized void initializeStore(final boolean force) { Boolean updateCRLSuccessfull = null; try {//from w w w . jav a 2 s. co m File fullCrlFile = new File(crlFilename); if (fullCrlFile.exists() == false) { // file does not exist LOG.warn("CRL File {} does not exist", crlFilename); return; } long newLastModifed = fullCrlFile.lastModified(); boolean deltaCrlExists; File deltaCrlFile = null; if (deltaCrlFilename != null) { deltaCrlFile = new File(deltaCrlFilename); deltaCrlExists = deltaCrlFile.exists(); } else { deltaCrlExists = false; } long newLastModifedOfDeltaCrl = deltaCrlExists ? deltaCrlFile.lastModified() : 0; if (force == false) { long now = System.currentTimeMillis(); if (newLastModifed != lastmodifiedOfCrlFile) { if (now - newLastModifed < 5000) { return; // still in copy process } } if (deltaCrlExists) { if (newLastModifedOfDeltaCrl != lastModifiedOfDeltaCrlFile) { if (now - newLastModifed < 5000) { return; // still in copy process } } } } // end if(force) byte[] newFp = sha1Fp(fullCrlFile); boolean crlFileChanged = Arrays.equals(newFp, fpOfCrlFile) == false; if (crlFileChanged == false) { auditLogPCIEvent(AuditLevel.INFO, "UPDATE_CERTSTORE", "current CRL is still up-to-date"); return; } byte[] newFpOfDeltaCrl = deltaCrlExists ? sha1Fp(deltaCrlFile) : null; boolean deltaCrlFileChanged = Arrays.equals(newFpOfDeltaCrl, fpOfDeltaCrlFile) == false; if (crlFileChanged == false && deltaCrlFileChanged == false) { return; } if (crlFileChanged) { LOG.info("CRL file {} has changed, updating of the CertStore required", crlFilename); } if (deltaCrlFileChanged) { LOG.info("DeltaCRL file {} has changed, updating of the CertStore required", deltaCrlFilename); } auditLogPCIEvent(AuditLevel.INFO, "UPDATE_CERTSTORE", "a newer version of CRL is available"); updateCRLSuccessfull = false; X509CRL crl = X509Util.parseCRL(crlFilename); BigInteger crlNumber; { byte[] octetString = crl.getExtensionValue(Extension.cRLNumber.getId()); if (octetString != null) { byte[] extnValue = DEROctetString.getInstance(octetString).getOctets(); crlNumber = ASN1Integer.getInstance(extnValue).getPositiveValue(); } else { crlNumber = null; } } X500Principal issuer = crl.getIssuerX500Principal(); boolean caAsCrlIssuer = true; if (caCert.getSubjectX500Principal().equals(issuer) == false) { caAsCrlIssuer = false; if (issuerCert == null) { throw new IllegalArgumentException("issuerCert could not be null"); } if (issuerCert.getSubjectX500Principal().equals(issuer) == false) { throw new IllegalArgumentException("The issuerCert and CRL do not match"); } } X509Certificate crlSignerCert = caAsCrlIssuer ? caCert : issuerCert; try { crl.verify(crlSignerCert.getPublicKey()); } catch (Exception e) { throw new CertStatusStoreException(e.getMessage(), e); } X509CRL deltaCrl = null; BigInteger deltaCrlNumber = null; BigInteger baseCrlNumber = null; if (deltaCrlExists) { if (crlNumber == null) { throw new CertStatusStoreException("baseCRL does not contains CRLNumber"); } deltaCrl = X509Util.parseCRL(deltaCrlFilename); byte[] octetString = deltaCrl.getExtensionValue(Extension.deltaCRLIndicator.getId()); if (octetString == null) { deltaCrl = null; LOG.warn("{} is a full CRL instead of delta CRL, ignore it", deltaCrlFilename); } else { byte[] extnValue = DEROctetString.getInstance(octetString).getOctets(); baseCrlNumber = ASN1Integer.getInstance(extnValue).getPositiveValue(); if (baseCrlNumber.equals(crlNumber) == false) { deltaCrl = null; LOG.info("{} is not a deltaCRL for the CRL {}, ignore it", deltaCrlFilename, crlFilename); } else { octetString = deltaCrl.getExtensionValue(Extension.cRLNumber.getId()); extnValue = DEROctetString.getInstance(octetString).getOctets(); deltaCrlNumber = ASN1Integer.getInstance(extnValue).getPositiveValue(); } } } if (crlFileChanged == false && deltaCrl == null) { return; } Date newThisUpdate; Date newNextUpdate; if (deltaCrl != null) { LOG.info("try to update CRL with CRLNumber={} and DeltaCRL with CRLNumber={}", crlNumber, deltaCrlNumber); newThisUpdate = deltaCrl.getThisUpdate(); newNextUpdate = deltaCrl.getNextUpdate(); } else { newThisUpdate = crl.getThisUpdate(); newNextUpdate = crl.getNextUpdate(); } // Construct CrlID ASN1EncodableVector v = new ASN1EncodableVector(); if (StringUtil.isNotBlank(crlUrl)) { v.add(new DERTaggedObject(true, 0, new DERIA5String(crlUrl, true))); } byte[] extValue = (deltaCrlExists ? deltaCrl : crl).getExtensionValue(Extension.cRLNumber.getId()); if (extValue != null) { ASN1Integer asn1CrlNumber = ASN1Integer.getInstance(removeTagAndLenFromExtensionValue(extValue)); v.add(new DERTaggedObject(true, 1, asn1CrlNumber)); } v.add(new DERTaggedObject(true, 2, new DERGeneralizedTime(newThisUpdate))); this.crlID = CrlID.getInstance(new DERSequence(v)); byte[] encodedCaCert; try { encodedCaCert = caCert.getEncoded(); } catch (CertificateEncodingException e) { throw new CertStatusStoreException(e.getMessage(), e); } Certificate bcCaCert = Certificate.getInstance(encodedCaCert); byte[] encodedName; try { encodedName = bcCaCert.getSubject().getEncoded("DER"); } catch (IOException e) { throw new CertStatusStoreException(e.getMessage(), e); } byte[] encodedKey = bcCaCert.getSubjectPublicKeyInfo().getPublicKeyData().getBytes(); Map<HashAlgoType, IssuerHashNameAndKey> newIssuerHashMap = new ConcurrentHashMap<>(); for (HashAlgoType hashAlgo : HashAlgoType.values()) { byte[] issuerNameHash = HashCalculator.hash(hashAlgo, encodedName); byte[] issuerKeyHash = HashCalculator.hash(hashAlgo, encodedKey); IssuerHashNameAndKey issuerHash = new IssuerHashNameAndKey(hashAlgo, issuerNameHash, issuerKeyHash); newIssuerHashMap.put(hashAlgo, issuerHash); } X500Name caName = X500Name.getInstance(caCert.getSubjectX500Principal().getEncoded()); // extract the certificate, only in full CRL, not in delta CRL boolean certsIncluded = false; Set<CertWithInfo> certs = new HashSet<>(); String oidExtnCerts = ObjectIdentifiers.id_xipki_ext_crlCertset.getId(); byte[] extnValue = crl.getExtensionValue(oidExtnCerts); if (extnValue == null) { // try the legacy OID extnValue = crl.getExtensionValue("1.3.6.1.4.1.12655.100"); } if (extnValue != null) { extnValue = removeTagAndLenFromExtensionValue(extnValue); certsIncluded = true; ASN1Set asn1Set = DERSet.getInstance(extnValue); int n = asn1Set.size(); for (int i = 0; i < n; i++) { ASN1Encodable asn1 = asn1Set.getObjectAt(i); Certificate bcCert; String profileName = null; try { ASN1Sequence seq = ASN1Sequence.getInstance(asn1); bcCert = Certificate.getInstance(seq.getObjectAt(0)); if (seq.size() > 1) { profileName = DERUTF8String.getInstance(seq.getObjectAt(1)).getString(); } } catch (IllegalArgumentException e) { // backwards compatibility bcCert = Certificate.getInstance(asn1); } if (caName.equals(bcCert.getIssuer()) == false) { throw new CertStatusStoreException("invalid entry in CRL Extension certs"); } if (profileName == null) { profileName = "UNKNOWN"; } certs.add(new CertWithInfo(bcCert, profileName)); } } if (certsDirname != null) { if (extnValue != null) { LOG.warn("ignore certsDir '{}', since certificates are included in CRL Extension certs", certsDirname); } else { certsIncluded = true; Set<CertWithInfo> tmpCerts = readCertWithInfosFromDir(caCert, certsDirname); certs.addAll(tmpCerts); } } Map<BigInteger, CrlCertStatusInfo> newCertStatusInfoMap = new ConcurrentHashMap<>(); // First consider only full CRL Set<? extends X509CRLEntry> revokedCertListInFullCRL = crl.getRevokedCertificates(); if (revokedCertListInFullCRL != null) { for (X509CRLEntry revokedCert : revokedCertListInFullCRL) { X500Principal thisIssuer = revokedCert.getCertificateIssuer(); if (thisIssuer != null && caCert.getSubjectX500Principal().equals(thisIssuer) == false) { throw new CertStatusStoreException("invalid CRLEntry"); } } } Set<? extends X509CRLEntry> revokedCertListInDeltaCRL = null; if (deltaCrl != null) { revokedCertListInDeltaCRL = deltaCrl.getRevokedCertificates(); if (revokedCertListInDeltaCRL != null) { for (X509CRLEntry revokedCert : revokedCertListInDeltaCRL) { X500Principal thisIssuer = revokedCert.getCertificateIssuer(); if (thisIssuer != null && caCert.getSubjectX500Principal().equals(thisIssuer) == false) { throw new CertStatusStoreException("invalid CRLEntry"); } } } } Map<BigInteger, X509CRLEntry> revokedCertMap = null; // merge the revoked list if (CollectionUtil.isNotEmpty(revokedCertListInDeltaCRL)) { revokedCertMap = new HashMap<BigInteger, X509CRLEntry>(); for (X509CRLEntry entry : revokedCertListInFullCRL) { revokedCertMap.put(entry.getSerialNumber(), entry); } for (X509CRLEntry entry : revokedCertListInDeltaCRL) { BigInteger serialNumber = entry.getSerialNumber(); java.security.cert.CRLReason reason = entry.getRevocationReason(); if (reason == java.security.cert.CRLReason.REMOVE_FROM_CRL) { revokedCertMap.remove(serialNumber); } else { revokedCertMap.put(serialNumber, entry); } } } Iterator<? extends X509CRLEntry> it = null; if (revokedCertMap != null) { it = revokedCertMap.values().iterator(); } else if (revokedCertListInFullCRL != null) { it = revokedCertListInFullCRL.iterator(); } if (it != null) { while (it.hasNext()) { X509CRLEntry revokedCert = it.next(); BigInteger serialNumber = revokedCert.getSerialNumber(); byte[] encodedExtnValue = revokedCert.getExtensionValue(Extension.reasonCode.getId()); int reasonCode; if (encodedExtnValue != null) { ASN1Enumerated enumerated = ASN1Enumerated .getInstance(removeTagAndLenFromExtensionValue(encodedExtnValue)); reasonCode = enumerated.getValue().intValue(); } else { reasonCode = CRLReason.UNSPECIFIED.getCode(); } Date revTime = revokedCert.getRevocationDate(); Date invalidityTime = null; extnValue = revokedCert.getExtensionValue(Extension.invalidityDate.getId()); if (extnValue != null) { extnValue = removeTagAndLenFromExtensionValue(extnValue); ASN1GeneralizedTime gTime = DERGeneralizedTime.getInstance(extnValue); try { invalidityTime = gTime.getDate(); } catch (ParseException e) { throw new CertStatusStoreException(e.getMessage(), e); } if (revTime.equals(invalidityTime)) { invalidityTime = null; } } CertWithInfo cert = null; if (certsIncluded) { for (CertWithInfo bcCert : certs) { if (bcCert.cert.getIssuer().equals(caName) && bcCert.cert.getSerialNumber().getPositiveValue().equals(serialNumber)) { cert = bcCert; break; } } if (cert == null) { LOG.info("could not find certificate (issuer = '{}', serialNumber = '{}'", X509Util.getRFC4519Name(caName), serialNumber); } else { certs.remove(cert); } } Map<HashAlgoType, byte[]> certHashes = (cert == null) ? null : getCertHashes(cert.cert); CertRevocationInfo revocationInfo = new CertRevocationInfo(reasonCode, revTime, invalidityTime); CrlCertStatusInfo crlCertStatusInfo = CrlCertStatusInfo.getRevokedCertStatusInfo(revocationInfo, (cert == null) ? null : cert.profileName, certHashes); newCertStatusInfoMap.put(serialNumber, crlCertStatusInfo); } // end while(it.hasNext()) } // end if(it) for (CertWithInfo cert : certs) { Map<HashAlgoType, byte[]> certHashes = getCertHashes(cert.cert); CrlCertStatusInfo crlCertStatusInfo = CrlCertStatusInfo.getGoodCertStatusInfo(cert.profileName, certHashes); newCertStatusInfoMap.put(cert.cert.getSerialNumber().getPositiveValue(), crlCertStatusInfo); } this.initialized = false; this.lastmodifiedOfCrlFile = newLastModifed; this.fpOfCrlFile = newFp; this.lastModifiedOfDeltaCrlFile = newLastModifedOfDeltaCrl; this.fpOfDeltaCrlFile = newFpOfDeltaCrl; this.issuerHashMap.clear(); this.issuerHashMap.putAll(newIssuerHashMap); this.certStatusInfoMap.clear(); this.certStatusInfoMap.putAll(newCertStatusInfoMap); this.thisUpdate = newThisUpdate; this.nextUpdate = newNextUpdate; this.initializationFailed = false; this.initialized = true; updateCRLSuccessfull = true; LOG.info("updated CertStore {}", getName()); } catch (Exception e) { final String message = "could not execute initializeStore()"; if (LOG.isErrorEnabled()) { LOG.error(LogUtil.buildExceptionLogFormat(message), e.getClass().getName(), e.getMessage()); } LOG.debug(message, e); initializationFailed = true; initialized = true; } finally { if (updateCRLSuccessfull != null) { AuditLevel auditLevel; AuditStatus auditStatus; String eventType = "UPDATE_CRL"; if (updateCRLSuccessfull) { auditLevel = AuditLevel.INFO; auditStatus = AuditStatus.FAILED; } else { auditLevel = AuditLevel.ERROR; auditStatus = AuditStatus.SUCCESSFUL; } auditLogPCIEvent(auditLevel, eventType, auditStatus.name()); } } }
From source file:org.xipki.ocsp.server.impl.certstore.CrlCertStatusStore.java
License:Open Source License
private Set<CertWithInfo> readCertWithInfosFromDir(final X509Certificate caCert, final String certsDirname) throws CertificateEncodingException { File certsDir = new File(certsDirname); if (certsDir.exists() == false) { LOG.warn("the folder " + certsDirname + " does not exist, ignore it"); return Collections.emptySet(); }// w w w.j av a 2 s .com if (certsDir.isDirectory() == false) { LOG.warn("the path " + certsDirname + " does not point to a folder, ignore it"); return Collections.emptySet(); } if (certsDir.canRead() == false) { LOG.warn("the folder " + certsDirname + " could not be read, ignore it"); return Collections.emptySet(); } File[] certFiles = certsDir.listFiles(new FilenameFilter() { @Override public boolean accept(File dir, String name) { return name.endsWith(".der") || name.endsWith(".crt"); } }); if (certFiles == null || certFiles.length == 0) { return Collections.emptySet(); } X500Name issuer = X500Name.getInstance(caCert.getSubjectX500Principal().getEncoded()); byte[] issuerSKI = X509Util.extractSKI(caCert); Set<CertWithInfo> certs = new HashSet<>(); final String profileName = "UNKNOWN"; for (File certFile : certFiles) { Certificate bcCert; try { byte[] encoded = IoUtil.read(certFile); bcCert = Certificate.getInstance(encoded); } catch (IllegalArgumentException | IOException e) { LOG.warn("could not parse certificate {}, ignore it", certFile.getPath()); continue; } // not issued by the given issuer if (issuer.equals(bcCert.getIssuer()) == false) { continue; } if (issuerSKI != null) { byte[] aki = null; try { aki = X509Util.extractAKI(bcCert); } catch (CertificateEncodingException e) { final String message = "could not extract AuthorityKeyIdentifier"; if (LOG.isErrorEnabled()) { LOG.error(LogUtil.buildExceptionLogFormat(message), e.getClass().getName(), e.getMessage()); } LOG.debug(message, e); } if (aki == null || Arrays.equals(issuerSKI, aki) == false) { continue; } } certs.add(new CertWithInfo(bcCert, profileName)); } return certs; }
From source file:org.xipki.pki.ca.dbtool.diffdb.EjbcaDigestExporter.java
License:Open Source License
private void doDigestNoTableId(final ProcessLog processLog, final CaEntryContainer caEntryContainer, final Map<String, EjbcaCaInfo> caInfos) throws Exception { int skippedAccount = 0; String lastProcessedHexCertFp; lastProcessedHexCertFp = Hex.toHexString(new byte[20]); // 40 zeros System.out.println("digesting certificates from fingerprint (exclusive)\n\t" + lastProcessedHexCertFp); PreparedStatement ps = prepareStatement(sql); PreparedStatement rawCertPs = prepareStatement(certSql); processLog.printHeader();/*from ww w . j a v a 2 s .c o m*/ String tmpSql = null; int id = 0; try { boolean interrupted = false; String hexCertFp = lastProcessedHexCertFp; while (true) { if (stopMe.get()) { interrupted = true; break; } ps.setString(1, hexCertFp); ResultSet rs = ps.executeQuery(); int countEntriesInResultSet = 0; while (rs.next()) { id++; countEntriesInResultSet++; String hexCaFp = rs.getString("cAFingerprint"); hexCertFp = rs.getString("fingerprint"); EjbcaCaInfo caInfo = null; if (!hexCaFp.equals(hexCertFp)) { caInfo = caInfos.get(hexCaFp); } if (caInfo == null) { LOG.debug("Found no CA by cAFingerprint, try to resolve by issuer"); rawCertPs.setString(1, hexCertFp); ResultSet certRs = rawCertPs.executeQuery(); if (certRs.next()) { String b64Cert = certRs.getString("base64Cert"); Certificate cert = Certificate.getInstance(Base64.decode(b64Cert)); for (EjbcaCaInfo entry : caInfos.values()) { if (entry.getSubject().equals(cert.getIssuer())) { caInfo = entry; break; } } } certRs.close(); } if (caInfo == null) { LOG.error("found no CA for Cert with fingerprint '{}'", hexCertFp); skippedAccount++; processLog.addNumProcessed(1); continue; } String hash = Base64.toBase64String(Hex.decode(hexCertFp)); String str = rs.getString("serialNumber"); BigInteger serial = new BigInteger(str); int status = rs.getInt("status"); boolean revoked = (status == EjbcaConstants.CERT_REVOKED || status == EjbcaConstants.CERT_TEMP_REVOKED); Integer revReason = null; Long revTime = null; Long revInvTime = null; if (revoked) { revReason = rs.getInt("revocationReason"); long revTimeInMs = rs.getLong("revocationDate"); // rev_time is milliseconds, convert it to seconds revTime = revTimeInMs / 1000; } DbDigestEntry cert = new DbDigestEntry(serial, revoked, revReason, revTime, revInvTime, hash); caEntryContainer.addDigestEntry(caInfo.getCaId(), id, cert); processLog.addNumProcessed(1); processLog.printStatus(); } // end while (rs.next()) rs.close(); if (countEntriesInResultSet == 0) { break; } } // end while (true) if (interrupted) { throw new InterruptedException("interrupted by the user"); } } catch (SQLException ex) { throw translate(tmpSql, ex); } finally { releaseResources(ps, null); releaseResources(rawCertPs, null); } processLog.printTrailer(); StringBuilder sb = new StringBuilder(200); sb.append(" digested ").append((processLog.getNumProcessed() - skippedAccount)).append(" certificates"); if (skippedAccount > 0) { sb.append(", ignored ").append(skippedAccount).append(" certificates (see log for details)"); } System.out.println(sb.toString()); }
From source file:org.xipki.pki.ocsp.server.impl.store.crl.CrlCertStatusStore.java
License:Open Source License
private Map<BigInteger, CertWithInfo> extractCertsFromExtCrlCertSet(final byte[] encodedExtCrlCertSet, final X500Name caName) throws OcspStoreException { Map<BigInteger, CertWithInfo> certsMap = new HashMap<>(); ASN1Set asn1Set = DERSet.getInstance(encodedExtCrlCertSet); final int n = asn1Set.size(); for (int i = 0; i < n; i++) { ASN1Encodable asn1 = asn1Set.getObjectAt(i); ASN1Sequence seq = ASN1Sequence.getInstance(asn1); BigInteger serialNumber = ASN1Integer.getInstance(seq.getObjectAt(0)).getValue(); Certificate bcCert = null; String profileName = null; final int size = seq.size(); for (int j = 1; j < size; j++) { ASN1TaggedObject taggedObj = DERTaggedObject.getInstance(seq.getObjectAt(j)); int tagNo = taggedObj.getTagNo(); switch (tagNo) { case 0: bcCert = Certificate.getInstance(taggedObj.getObject()); break; case 1: profileName = DERUTF8String.getInstance(taggedObj.getObject()).getString(); break; default: break; }/*from w w w .j a v a 2 s. c o m*/ } if (bcCert != null) { if (!caName.equals(bcCert.getIssuer())) { throw new OcspStoreException("issuer not match (serial=" + LogUtil.formatCsn(serialNumber) + ") in CRL Extension Xipki-CertSet"); } if (!serialNumber.equals(bcCert.getSerialNumber().getValue())) { throw new OcspStoreException("serialNumber not match (serial=" + LogUtil.formatCsn(serialNumber) + ") in CRL Extension Xipki-CertSet"); } } if (profileName == null) { profileName = "UNKNOWN"; } CertWithInfo entry = new CertWithInfo(serialNumber); entry.setProfileName(profileName); if (!certHashAlgos.isEmpty()) { entry.setCert(bcCert); } certsMap.put(serialNumber, entry); } return certsMap; }
From source file:org.xipki.pki.ocsp.server.impl.store.crl.CrlCertStatusStore.java
License:Open Source License
private void readCertWithInfosFromDir(final X509Certificate caCert, final String certsDirname, final Map<BigInteger, CertWithInfo> certsMap) throws CertificateEncodingException { File certsDir = new File(certsDirname); if (!certsDir.exists()) { LOG.warn("the folder " + certsDirname + " does not exist, ignore it"); return;/*from ww w . j av a 2 s . c o m*/ } if (!certsDir.isDirectory()) { LOG.warn("the path " + certsDirname + " does not point to a folder, ignore it"); return; } if (!certsDir.canRead()) { LOG.warn("the folder " + certsDirname + " must not be read, ignore it"); return; } File[] certFiles = certsDir.listFiles(new FilenameFilter() { @Override public boolean accept(final File dir, final String name) { return name.endsWith(".der") || name.endsWith(".crt"); } }); if (certFiles == null || certFiles.length == 0) { return; } X500Name issuer = X500Name.getInstance(caCert.getSubjectX500Principal().getEncoded()); byte[] issuerSki = X509Util.extractSki(caCert); final String profileName = "UNKNOWN"; final boolean needsCert = !certHashAlgos.isEmpty(); for (File certFile : certFiles) { Certificate bcCert; try { byte[] encoded = IoUtil.read(certFile); bcCert = Certificate.getInstance(encoded); } catch (IllegalArgumentException | IOException ex) { LOG.warn("could not parse certificate {}, ignore it", certFile.getPath()); continue; } BigInteger serialNumber = bcCert.getSerialNumber().getValue(); if (certsMap.containsKey(serialNumber)) { continue; } // not issued by the given issuer if (!issuer.equals(bcCert.getIssuer())) { continue; } if (issuerSki != null) { byte[] aki = null; try { aki = X509Util.extractAki(bcCert); } catch (CertificateEncodingException ex) { LogUtil.error(LOG, ex, "could not extract AuthorityKeyIdentifier"); } if (aki == null || !Arrays.equals(issuerSki, aki)) { continue; } } // end if CertWithInfo entry = new CertWithInfo(serialNumber); entry.setProfileName(profileName); if (needsCert) { entry.setCert(bcCert); } certsMap.put(serialNumber, entry); } // end for }