List of usage examples for org.bouncycastle.asn1.x509 Certificate getSubject
public X500Name getSubject()
From source file:org.opendaylight.usc.crypto.dtls.DtlsServer.java
License:Open Source License
public void notifyClientCertificate(org.bouncycastle.crypto.tls.Certificate clientCertificate) throws IOException { Certificate[] chain = clientCertificate.getCertificateList(); log.trace("Received client certificate chain of length " + chain.length); for (int i = 0; i != chain.length; i++) { Certificate entry = chain[i]; // TODO Create fingerprint based on certificate signature algorithm digest log.trace(" fingerprint:SHA-256 " + DtlsUtils.fingerprint(entry) + " (" + entry.getSubject() + ")"); }/* w ww . j ava 2 s. c o m*/ }
From source file:org.restcomm.sbc.media.dtls.DtlsSrtpServer.java
License:Open Source License
public void notifyClientCertificate(org.bouncycastle.crypto.tls.Certificate clientCertificate) throws IOException { if (LOGGER.isTraceEnabled()) { LOGGER.trace("> notifyClientCertificate(" + clientCertificate + ")"); }/* w w w .j ava 2s . c o m*/ Certificate[] chain = clientCertificate.getCertificateList(); LOGGER.info(String.format("Received client certificate chain of length %d", chain.length)); for (int i = 0; i != chain.length; i++) { Certificate entry = chain[i]; LOGGER.info(String.format("WebRTC Client certificate fingerprint:%s (%s)", TlsUtils.fingerprint(this.hashFunction, entry), entry.getSubject())); } }
From source file:org.xipki.ca.client.shell.loadtest.CALoadTestRevoke.java
License:Open Source License
public CALoadTestRevoke(final CAClient caClient, final Certificate caCert, final DataSourceWrapper caDataSource, final int maxCerts, final int n) throws Exception { ParamChecker.assertNotNull("caClient", caClient); ParamChecker.assertNotNull("caCert", caCert); ParamChecker.assertNotNull("caDataSource", caDataSource); if (n < 1) { throw new IllegalArgumentException("non-positive n " + n + " is not allowed"); }// w ww . j av a 2 s . c o m this.n = n; this.caClient = caClient; this.caDataSource = caDataSource; this.caSubject = caCert.getSubject(); this.maxCerts = maxCerts; if (caCert.getIssuer().equals(caCert.getSubject())) { this.excludeSerials.add(caCert.getSerialNumber().getPositiveValue().longValue()); } String sha1Fp = SecurityUtil.sha1sum(caCert.getEncoded()); String sql = "SELECT ID FROM CS_CA WHERE FP_CERT='" + sha1Fp + "'"; Statement stmt = caDataSource.getConnection().createStatement(); try { ResultSet rs = stmt.executeQuery(sql); if (rs.next()) { caInfoId = rs.getInt("ID"); } else { throw new Exception("CA Certificate and database configuration does not match"); } rs.close(); sql = "SELECT MIN(SERIAL) FROM CERT WHERE REVOKED=0 AND CA_ID=" + caInfoId; rs = stmt.executeQuery(sql); rs.next(); minSerial = rs.getLong(1); nextStartSerial = minSerial; sql = "SELECT MAX(SERIAL) FROM CERT WHERE REVOKED=0 AND CA_ID=" + caInfoId; rs = stmt.executeQuery(sql); rs.next(); maxSerial = rs.getLong(1); } finally { caDataSource.releaseResources(stmt, null); } }
From source file:org.xipki.ca.server.impl.publisher.OCSPStoreQueryExecutor.java
License:Open Source License
void addIssuer(final X509CertWithDBCertId issuerCert) throws CertificateEncodingException, DataAccessException { if (issuerStore.getIdForCert(issuerCert.getEncodedCert()) != null) { return;/*from w ww. j a va2s . c om*/ } String hexSha1FpCert = HashCalculator.hexHash(HashAlgoType.SHA1, issuerCert.getEncodedCert()); Certificate bcCert = Certificate.getInstance(issuerCert.getEncodedCert()); byte[] encodedName; try { encodedName = bcCert.getSubject().getEncoded("DER"); } catch (IOException e) { throw new CertificateEncodingException(e.getMessage(), e); } byte[] encodedKey = bcCert.getSubjectPublicKeyInfo().getPublicKeyData().getBytes(); long maxId = dataSource.getMax(null, "ISSUER", "ID"); int id = (int) maxId + 1; final String sql = "INSERT INTO ISSUER (ID, SUBJECT, NOTBEFORE, NOTAFTER," + " SHA1_NAME, SHA1_KEY, SHA224_NAME, SHA224_KEY, SHA256_NAME, SHA256_KEY," + " SHA384_NAME, SHA384_KEY, SHA512_NAME, SHA512_KEY,SHA1_CERT, CERT)" + " VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)"; PreparedStatement ps = borrowPreparedStatement(sql); try { String b64Cert = Base64.toBase64String(issuerCert.getEncodedCert()); String subject = issuerCert.getSubject(); int idx = 1; ps.setInt(idx++, id); ps.setString(idx++, subject); ps.setLong(idx++, issuerCert.getCert().getNotBefore().getTime() / 1000); ps.setLong(idx++, issuerCert.getCert().getNotAfter().getTime() / 1000); ps.setString(idx++, HashCalculator.hexHash(HashAlgoType.SHA1, encodedName)); ps.setString(idx++, HashCalculator.hexHash(HashAlgoType.SHA1, encodedKey)); ps.setString(idx++, HashCalculator.hexHash(HashAlgoType.SHA224, encodedName)); ps.setString(idx++, HashCalculator.hexHash(HashAlgoType.SHA224, encodedKey)); ps.setString(idx++, HashCalculator.hexHash(HashAlgoType.SHA256, encodedName)); ps.setString(idx++, HashCalculator.hexHash(HashAlgoType.SHA256, encodedKey)); ps.setString(idx++, HashCalculator.hexHash(HashAlgoType.SHA384, encodedName)); ps.setString(idx++, HashCalculator.hexHash(HashAlgoType.SHA384, encodedKey)); ps.setString(idx++, HashCalculator.hexHash(HashAlgoType.SHA512, encodedName)); ps.setString(idx++, HashCalculator.hexHash(HashAlgoType.SHA512, encodedKey)); ps.setString(idx++, hexSha1FpCert); ps.setString(idx++, b64Cert); ps.execute(); IssuerEntry newInfo = new IssuerEntry(id, subject, hexSha1FpCert, b64Cert); issuerStore.addIdentityEntry(newInfo); } catch (SQLException e) { throw dataSource.translate(sql, e); } finally { releaseDbResources(ps, null); } }
From source file:org.xipki.commons.security.IssuerHash.java
License:Open Source License
public IssuerHash(final HashAlgoType hashAlgo, final Certificate issuerCert) throws IOException { this.hashAlgo = ParamUtil.requireNonNull("hashAlgo", hashAlgo); ParamUtil.requireNonNull("issuerCert", issuerCert); byte[] encodedName = issuerCert.getSubject().getEncoded(); byte[] encodedKey = issuerCert.getSubjectPublicKeyInfo().getPublicKeyData().getBytes(); this.issuerNameHash = HashCalculator.hash(hashAlgo, encodedName); this.issuerKeyHash = HashCalculator.hash(hashAlgo, encodedKey); }
From source file:org.xipki.commons.security.shell.CertInfoCmd.java
License:Open Source License
@Override protected Object doExecute() throws Exception { Certificate cert = Certificate.getInstance(IoUtil.read(inFile)); if (serial != null && serial) { return getNumber(cert.getSerialNumber().getPositiveValue()); } else if (subject != null && subject) { return cert.getSubject().toString(); } else if (issuer != null && issuer) { return cert.getIssuer().toString(); } else if (notBefore != null && notBefore) { return toUtcTimeyyyyMMddhhmmssZ(cert.getStartDate().getDate()); } else if (notAfter != null && notAfter) { return toUtcTimeyyyyMMddhhmmssZ(cert.getEndDate().getDate()); } else if (fingerprint != null && fingerprint) { byte[] encoded = cert.getEncoded(); return HashAlgoType.getHashAlgoType(hashAlgo).hexHash(encoded); }// w w w . j av a2 s .c o m return null; }
From source file:org.xipki.dbtool.CaCertStoreDbImporter.java
License:Open Source License
private int[] do_import_cert(final PreparedStatement ps_cert, final PreparedStatement ps_rawcert, final String certsZipFile, final int minId, final File processLogFile, final int totalProcessedSum) throws IOException, JAXBException, DataAccessException, CertificateException { ZipFile zipFile = new ZipFile(new File(baseDir, certsZipFile)); ZipEntry certsXmlEntry = zipFile.getEntry("certs.xml"); CertsType certs;/*from w ww . j a va2s. c om*/ try { @SuppressWarnings("unchecked") JAXBElement<CertsType> rootElement = (JAXBElement<CertsType>) unmarshaller .unmarshal(zipFile.getInputStream(certsXmlEntry)); certs = rootElement.getValue(); } catch (JAXBException e) { try { zipFile.close(); } catch (Exception e2) { } throw XMLUtil.convert(e); } disableAutoCommit(); try { List<CertType> list = certs.getCert(); final int size = list.size(); final int n = 100; int numProcessed = 0; int numEntriesInBatch = 0; int lastSuccessfulCertId = 0; for (int i = 0; i < size; i++) { CertType cert = list.get(i); int id = cert.getId(); lastSuccessfulCertId = id; if (id < minId) { continue; } int certArt = cert.getArt() == null ? 1 : cert.getArt(); numEntriesInBatch++; String filename = cert.getCertFile(); // rawcert ZipEntry certZipEnty = zipFile.getEntry(filename); // rawcert byte[] encodedCert = IoUtil.read(zipFile.getInputStream(certZipEnty)); Certificate c; try { c = Certificate.getInstance(encodedCert); } catch (Exception e) { LOG.error("could not parse certificate in file {}", filename); LOG.debug("could not parse certificate in file " + filename, e); if (e instanceof CertificateException) { throw (CertificateException) e; } else { throw new CertificateException(e.getMessage(), e); } } byte[] encodedKey = c.getSubjectPublicKeyInfo().getPublicKeyData().getBytes(); String hexSha1FpCert = HashCalculator.hexHash(HashAlgoType.SHA1, encodedCert); // cert try { int idx = 1; ps_cert.setInt(idx++, id); ps_cert.setInt(idx++, certArt); ps_cert.setLong(idx++, cert.getLastUpdate()); ps_cert.setLong(idx++, c.getSerialNumber().getPositiveValue().longValue()); ps_cert.setString(idx++, X509Util.getRFC4519Name(c.getSubject())); ps_cert.setLong(idx++, c.getTBSCertificate().getStartDate().getDate().getTime() / 1000); ps_cert.setLong(idx++, c.getTBSCertificate().getEndDate().getDate().getTime() / 1000); setBoolean(ps_cert, idx++, cert.isRevoked()); setInt(ps_cert, idx++, cert.getRevReason()); setLong(ps_cert, idx++, cert.getRevTime()); setLong(ps_cert, idx++, cert.getRevInvTime()); setInt(ps_cert, idx++, cert.getProfileId()); setInt(ps_cert, idx++, cert.getCaId()); setInt(ps_cert, idx++, cert.getRequestorId()); setInt(ps_cert, idx++, cert.getUserId()); ps_cert.setString(idx++, HashCalculator.hexHash(HashAlgoType.SHA1, encodedKey)); String sha1FpSubject = X509Util.sha1sum_canonicalized_name(c.getSubject()); ps_cert.setString(idx++, sha1FpSubject); Extension extension = c.getTBSCertificate().getExtensions() .getExtension(Extension.basicConstraints); boolean ee = true; if (extension != null) { ASN1Encodable asn1 = extension.getParsedValue(); try { ee = BasicConstraints.getInstance(asn1).isCA() == false; } catch (Exception e) { } } ps_cert.setInt(idx++, ee ? 1 : 0); ps_cert.addBatch(); } catch (SQLException e) { throw translate(SQL_ADD_CERT, e); } try { int idx = 1; ps_rawcert.setInt(idx++, cert.getId()); ps_rawcert.setString(idx++, hexSha1FpCert); ps_rawcert.setString(idx++, Base64.toBase64String(encodedCert)); ps_rawcert.addBatch(); } catch (SQLException e) { throw translate(SQL_ADD_RAWCERT, e); } if (numEntriesInBatch > 0 && (numEntriesInBatch % n == 0 || i == size - 1)) { String sql = null; try { sql = SQL_ADD_CERT; ps_cert.executeBatch(); sql = SQL_ADD_RAWCERT; ps_rawcert.executeBatch(); sql = null; commit("(commit import cert to CA)"); } catch (SQLException e) { rollback(); throw translate(sql, e); } catch (DataAccessException e) { rollback(); throw e; } numProcessed += numEntriesInBatch; numEntriesInBatch = 0; echoToFile((totalProcessedSum + numProcessed) + ":" + lastSuccessfulCertId, processLogFile); } } return new int[] { numProcessed, lastSuccessfulCertId }; } finally { try { recoverAutoCommit(); } catch (DataAccessException e) { } zipFile.close(); } }
From source file:org.xipki.dbtool.OcspCertStoreDbImporter.java
License:Open Source License
private void import_issuer(final Issuers issuers) throws DataAccessException, CertificateException { System.out.println("importing table ISSUER"); PreparedStatement ps = prepareStatement(SQL_ADD_CAINFO); try {// w w w .j a v a2 s . c o m for (IssuerType issuer : issuers.getIssuer()) { try { String b64Cert = issuer.getCert(); byte[] encodedCert = Base64.decode(b64Cert); Certificate c; byte[] encodedName; try { c = Certificate.getInstance(encodedCert); encodedName = c.getSubject().getEncoded("DER"); } catch (Exception e) { LOG.error("could not parse certificate of issuer {}", issuer.getId()); LOG.debug("could not parse certificate of issuer " + issuer.getId(), e); if (e instanceof CertificateException) { throw (CertificateException) e; } else { throw new CertificateException(e.getMessage(), e); } } byte[] encodedKey = c.getSubjectPublicKeyInfo().getPublicKeyData().getBytes(); int idx = 1; ps.setInt(idx++, issuer.getId()); ps.setString(idx++, X509Util.getRFC4519Name(c.getSubject())); ps.setLong(idx++, c.getTBSCertificate().getStartDate().getDate().getTime() / 1000); ps.setLong(idx++, c.getTBSCertificate().getEndDate().getDate().getTime() / 1000); ps.setString(idx++, HashCalculator.hexHash(HashAlgoType.SHA1, encodedName)); ps.setString(idx++, HashCalculator.hexHash(HashAlgoType.SHA1, encodedKey)); ps.setString(idx++, HashCalculator.hexHash(HashAlgoType.SHA224, encodedName)); ps.setString(idx++, HashCalculator.hexHash(HashAlgoType.SHA224, encodedKey)); ps.setString(idx++, HashCalculator.hexHash(HashAlgoType.SHA256, encodedName)); ps.setString(idx++, HashCalculator.hexHash(HashAlgoType.SHA256, encodedKey)); ps.setString(idx++, HashCalculator.hexHash(HashAlgoType.SHA384, encodedName)); ps.setString(idx++, HashCalculator.hexHash(HashAlgoType.SHA384, encodedKey)); ps.setString(idx++, HashCalculator.hexHash(HashAlgoType.SHA512, encodedName)); ps.setString(idx++, HashCalculator.hexHash(HashAlgoType.SHA512, encodedKey)); ps.setString(idx++, HashCalculator.hexHash(HashAlgoType.SHA1, encodedCert)); ps.setString(idx++, b64Cert); setBoolean(ps, idx++, issuer.isRevoked()); setInt(ps, idx++, issuer.getRevReason()); setLong(ps, idx++, issuer.getRevTime()); setLong(ps, idx++, issuer.getRevInvTime()); ps.execute(); } catch (SQLException e) { System.err.println("error while importing issuer with id=" + issuer.getId()); throw translate(SQL_ADD_CAINFO, e); } catch (CertificateException e) { System.err.println("error while importing issuer with id=" + issuer.getId()); throw e; } } } finally { releaseResources(ps, null); } System.out.println(" imported table ISSUER"); }
From source file:org.xipki.dbtool.OcspCertStoreFromCaDbImporter.java
License:Open Source License
private List<Integer> import_issuer(final Cas issuers, final List<CaType> cas) throws DataAccessException, CertificateException { System.out.println("importing table ISSUER"); final String sql = OcspCertStoreDbImporter.SQL_ADD_CAINFO; PreparedStatement ps = prepareStatement(sql); List<Integer> relatedCaIds = new LinkedList<>(); try {// ww w . j ava 2 s .c o m for (CertstoreCaType issuer : issuers.getCa()) { try { String b64Cert = issuer.getCert(); byte[] encodedCert = Base64.decode(b64Cert); // retrieve the revocation information of the CA, if possible CaType ca = null; for (CaType caType : cas) { if (Arrays.equals(encodedCert, Base64.decode(caType.getCert()))) { ca = caType; break; } } if (ca == null) { continue; } relatedCaIds.add(issuer.getId()); Certificate c; byte[] encodedName; try { c = Certificate.getInstance(encodedCert); encodedName = c.getSubject().getEncoded("DER"); } catch (Exception e) { LOG.error("could not parse certificate of issuer {}", issuer.getId()); LOG.debug("could not parse certificate of issuer " + issuer.getId(), e); if (e instanceof CertificateException) { throw (CertificateException) e; } else { throw new CertificateException(e.getMessage(), e); } } byte[] encodedKey = c.getSubjectPublicKeyInfo().getPublicKeyData().getBytes(); int idx = 1; ps.setInt(idx++, issuer.getId()); ps.setString(idx++, X509Util.getRFC4519Name(c.getSubject())); ps.setLong(idx++, c.getTBSCertificate().getStartDate().getDate().getTime() / 1000); ps.setLong(idx++, c.getTBSCertificate().getEndDate().getDate().getTime() / 1000); ps.setString(idx++, HashCalculator.hexHash(HashAlgoType.SHA1, encodedName)); ps.setString(idx++, HashCalculator.hexHash(HashAlgoType.SHA1, encodedKey)); ps.setString(idx++, HashCalculator.hexHash(HashAlgoType.SHA224, encodedName)); ps.setString(idx++, HashCalculator.hexHash(HashAlgoType.SHA224, encodedKey)); ps.setString(idx++, HashCalculator.hexHash(HashAlgoType.SHA256, encodedName)); ps.setString(idx++, HashCalculator.hexHash(HashAlgoType.SHA256, encodedKey)); ps.setString(idx++, HashCalculator.hexHash(HashAlgoType.SHA384, encodedName)); ps.setString(idx++, HashCalculator.hexHash(HashAlgoType.SHA384, encodedKey)); ps.setString(idx++, HashCalculator.hexHash(HashAlgoType.SHA512, encodedName)); ps.setString(idx++, HashCalculator.hexHash(HashAlgoType.SHA512, encodedKey)); ps.setString(idx++, HashCalculator.hexHash(HashAlgoType.SHA1, encodedCert)); ps.setString(idx++, b64Cert); setBoolean(ps, idx++, ca.isRevoked()); setInt(ps, idx++, ca.getRevReason()); setLong(ps, idx++, ca.getRevTime()); setLong(ps, idx++, ca.getRevInvTime()); ps.execute(); } catch (SQLException e) { System.err.println("error while importing issuer with id=" + issuer.getId()); throw translate(sql, e); } catch (CertificateException e) { System.err.println("error while importing issuer with id=" + issuer.getId()); throw e; } } } finally { releaseResources(ps, null); } System.out.println(" imported table ISSUER"); return relatedCaIds; }
From source file:org.xipki.ocsp.server.impl.certstore.CrlCertStatusStore.java
License:Open Source License
private synchronized void initializeStore(final boolean force) { Boolean updateCRLSuccessfull = null; try {//from ww w. j av a 2s . c o m File fullCrlFile = new File(crlFilename); if (fullCrlFile.exists() == false) { // file does not exist LOG.warn("CRL File {} does not exist", crlFilename); return; } long newLastModifed = fullCrlFile.lastModified(); boolean deltaCrlExists; File deltaCrlFile = null; if (deltaCrlFilename != null) { deltaCrlFile = new File(deltaCrlFilename); deltaCrlExists = deltaCrlFile.exists(); } else { deltaCrlExists = false; } long newLastModifedOfDeltaCrl = deltaCrlExists ? deltaCrlFile.lastModified() : 0; if (force == false) { long now = System.currentTimeMillis(); if (newLastModifed != lastmodifiedOfCrlFile) { if (now - newLastModifed < 5000) { return; // still in copy process } } if (deltaCrlExists) { if (newLastModifedOfDeltaCrl != lastModifiedOfDeltaCrlFile) { if (now - newLastModifed < 5000) { return; // still in copy process } } } } // end if(force) byte[] newFp = sha1Fp(fullCrlFile); boolean crlFileChanged = Arrays.equals(newFp, fpOfCrlFile) == false; if (crlFileChanged == false) { auditLogPCIEvent(AuditLevel.INFO, "UPDATE_CERTSTORE", "current CRL is still up-to-date"); return; } byte[] newFpOfDeltaCrl = deltaCrlExists ? sha1Fp(deltaCrlFile) : null; boolean deltaCrlFileChanged = Arrays.equals(newFpOfDeltaCrl, fpOfDeltaCrlFile) == false; if (crlFileChanged == false && deltaCrlFileChanged == false) { return; } if (crlFileChanged) { LOG.info("CRL file {} has changed, updating of the CertStore required", crlFilename); } if (deltaCrlFileChanged) { LOG.info("DeltaCRL file {} has changed, updating of the CertStore required", deltaCrlFilename); } auditLogPCIEvent(AuditLevel.INFO, "UPDATE_CERTSTORE", "a newer version of CRL is available"); updateCRLSuccessfull = false; X509CRL crl = X509Util.parseCRL(crlFilename); BigInteger crlNumber; { byte[] octetString = crl.getExtensionValue(Extension.cRLNumber.getId()); if (octetString != null) { byte[] extnValue = DEROctetString.getInstance(octetString).getOctets(); crlNumber = ASN1Integer.getInstance(extnValue).getPositiveValue(); } else { crlNumber = null; } } X500Principal issuer = crl.getIssuerX500Principal(); boolean caAsCrlIssuer = true; if (caCert.getSubjectX500Principal().equals(issuer) == false) { caAsCrlIssuer = false; if (issuerCert == null) { throw new IllegalArgumentException("issuerCert could not be null"); } if (issuerCert.getSubjectX500Principal().equals(issuer) == false) { throw new IllegalArgumentException("The issuerCert and CRL do not match"); } } X509Certificate crlSignerCert = caAsCrlIssuer ? caCert : issuerCert; try { crl.verify(crlSignerCert.getPublicKey()); } catch (Exception e) { throw new CertStatusStoreException(e.getMessage(), e); } X509CRL deltaCrl = null; BigInteger deltaCrlNumber = null; BigInteger baseCrlNumber = null; if (deltaCrlExists) { if (crlNumber == null) { throw new CertStatusStoreException("baseCRL does not contains CRLNumber"); } deltaCrl = X509Util.parseCRL(deltaCrlFilename); byte[] octetString = deltaCrl.getExtensionValue(Extension.deltaCRLIndicator.getId()); if (octetString == null) { deltaCrl = null; LOG.warn("{} is a full CRL instead of delta CRL, ignore it", deltaCrlFilename); } else { byte[] extnValue = DEROctetString.getInstance(octetString).getOctets(); baseCrlNumber = ASN1Integer.getInstance(extnValue).getPositiveValue(); if (baseCrlNumber.equals(crlNumber) == false) { deltaCrl = null; LOG.info("{} is not a deltaCRL for the CRL {}, ignore it", deltaCrlFilename, crlFilename); } else { octetString = deltaCrl.getExtensionValue(Extension.cRLNumber.getId()); extnValue = DEROctetString.getInstance(octetString).getOctets(); deltaCrlNumber = ASN1Integer.getInstance(extnValue).getPositiveValue(); } } } if (crlFileChanged == false && deltaCrl == null) { return; } Date newThisUpdate; Date newNextUpdate; if (deltaCrl != null) { LOG.info("try to update CRL with CRLNumber={} and DeltaCRL with CRLNumber={}", crlNumber, deltaCrlNumber); newThisUpdate = deltaCrl.getThisUpdate(); newNextUpdate = deltaCrl.getNextUpdate(); } else { newThisUpdate = crl.getThisUpdate(); newNextUpdate = crl.getNextUpdate(); } // Construct CrlID ASN1EncodableVector v = new ASN1EncodableVector(); if (StringUtil.isNotBlank(crlUrl)) { v.add(new DERTaggedObject(true, 0, new DERIA5String(crlUrl, true))); } byte[] extValue = (deltaCrlExists ? deltaCrl : crl).getExtensionValue(Extension.cRLNumber.getId()); if (extValue != null) { ASN1Integer asn1CrlNumber = ASN1Integer.getInstance(removeTagAndLenFromExtensionValue(extValue)); v.add(new DERTaggedObject(true, 1, asn1CrlNumber)); } v.add(new DERTaggedObject(true, 2, new DERGeneralizedTime(newThisUpdate))); this.crlID = CrlID.getInstance(new DERSequence(v)); byte[] encodedCaCert; try { encodedCaCert = caCert.getEncoded(); } catch (CertificateEncodingException e) { throw new CertStatusStoreException(e.getMessage(), e); } Certificate bcCaCert = Certificate.getInstance(encodedCaCert); byte[] encodedName; try { encodedName = bcCaCert.getSubject().getEncoded("DER"); } catch (IOException e) { throw new CertStatusStoreException(e.getMessage(), e); } byte[] encodedKey = bcCaCert.getSubjectPublicKeyInfo().getPublicKeyData().getBytes(); Map<HashAlgoType, IssuerHashNameAndKey> newIssuerHashMap = new ConcurrentHashMap<>(); for (HashAlgoType hashAlgo : HashAlgoType.values()) { byte[] issuerNameHash = HashCalculator.hash(hashAlgo, encodedName); byte[] issuerKeyHash = HashCalculator.hash(hashAlgo, encodedKey); IssuerHashNameAndKey issuerHash = new IssuerHashNameAndKey(hashAlgo, issuerNameHash, issuerKeyHash); newIssuerHashMap.put(hashAlgo, issuerHash); } X500Name caName = X500Name.getInstance(caCert.getSubjectX500Principal().getEncoded()); // extract the certificate, only in full CRL, not in delta CRL boolean certsIncluded = false; Set<CertWithInfo> certs = new HashSet<>(); String oidExtnCerts = ObjectIdentifiers.id_xipki_ext_crlCertset.getId(); byte[] extnValue = crl.getExtensionValue(oidExtnCerts); if (extnValue == null) { // try the legacy OID extnValue = crl.getExtensionValue("1.3.6.1.4.1.12655.100"); } if (extnValue != null) { extnValue = removeTagAndLenFromExtensionValue(extnValue); certsIncluded = true; ASN1Set asn1Set = DERSet.getInstance(extnValue); int n = asn1Set.size(); for (int i = 0; i < n; i++) { ASN1Encodable asn1 = asn1Set.getObjectAt(i); Certificate bcCert; String profileName = null; try { ASN1Sequence seq = ASN1Sequence.getInstance(asn1); bcCert = Certificate.getInstance(seq.getObjectAt(0)); if (seq.size() > 1) { profileName = DERUTF8String.getInstance(seq.getObjectAt(1)).getString(); } } catch (IllegalArgumentException e) { // backwards compatibility bcCert = Certificate.getInstance(asn1); } if (caName.equals(bcCert.getIssuer()) == false) { throw new CertStatusStoreException("invalid entry in CRL Extension certs"); } if (profileName == null) { profileName = "UNKNOWN"; } certs.add(new CertWithInfo(bcCert, profileName)); } } if (certsDirname != null) { if (extnValue != null) { LOG.warn("ignore certsDir '{}', since certificates are included in CRL Extension certs", certsDirname); } else { certsIncluded = true; Set<CertWithInfo> tmpCerts = readCertWithInfosFromDir(caCert, certsDirname); certs.addAll(tmpCerts); } } Map<BigInteger, CrlCertStatusInfo> newCertStatusInfoMap = new ConcurrentHashMap<>(); // First consider only full CRL Set<? extends X509CRLEntry> revokedCertListInFullCRL = crl.getRevokedCertificates(); if (revokedCertListInFullCRL != null) { for (X509CRLEntry revokedCert : revokedCertListInFullCRL) { X500Principal thisIssuer = revokedCert.getCertificateIssuer(); if (thisIssuer != null && caCert.getSubjectX500Principal().equals(thisIssuer) == false) { throw new CertStatusStoreException("invalid CRLEntry"); } } } Set<? extends X509CRLEntry> revokedCertListInDeltaCRL = null; if (deltaCrl != null) { revokedCertListInDeltaCRL = deltaCrl.getRevokedCertificates(); if (revokedCertListInDeltaCRL != null) { for (X509CRLEntry revokedCert : revokedCertListInDeltaCRL) { X500Principal thisIssuer = revokedCert.getCertificateIssuer(); if (thisIssuer != null && caCert.getSubjectX500Principal().equals(thisIssuer) == false) { throw new CertStatusStoreException("invalid CRLEntry"); } } } } Map<BigInteger, X509CRLEntry> revokedCertMap = null; // merge the revoked list if (CollectionUtil.isNotEmpty(revokedCertListInDeltaCRL)) { revokedCertMap = new HashMap<BigInteger, X509CRLEntry>(); for (X509CRLEntry entry : revokedCertListInFullCRL) { revokedCertMap.put(entry.getSerialNumber(), entry); } for (X509CRLEntry entry : revokedCertListInDeltaCRL) { BigInteger serialNumber = entry.getSerialNumber(); java.security.cert.CRLReason reason = entry.getRevocationReason(); if (reason == java.security.cert.CRLReason.REMOVE_FROM_CRL) { revokedCertMap.remove(serialNumber); } else { revokedCertMap.put(serialNumber, entry); } } } Iterator<? extends X509CRLEntry> it = null; if (revokedCertMap != null) { it = revokedCertMap.values().iterator(); } else if (revokedCertListInFullCRL != null) { it = revokedCertListInFullCRL.iterator(); } if (it != null) { while (it.hasNext()) { X509CRLEntry revokedCert = it.next(); BigInteger serialNumber = revokedCert.getSerialNumber(); byte[] encodedExtnValue = revokedCert.getExtensionValue(Extension.reasonCode.getId()); int reasonCode; if (encodedExtnValue != null) { ASN1Enumerated enumerated = ASN1Enumerated .getInstance(removeTagAndLenFromExtensionValue(encodedExtnValue)); reasonCode = enumerated.getValue().intValue(); } else { reasonCode = CRLReason.UNSPECIFIED.getCode(); } Date revTime = revokedCert.getRevocationDate(); Date invalidityTime = null; extnValue = revokedCert.getExtensionValue(Extension.invalidityDate.getId()); if (extnValue != null) { extnValue = removeTagAndLenFromExtensionValue(extnValue); ASN1GeneralizedTime gTime = DERGeneralizedTime.getInstance(extnValue); try { invalidityTime = gTime.getDate(); } catch (ParseException e) { throw new CertStatusStoreException(e.getMessage(), e); } if (revTime.equals(invalidityTime)) { invalidityTime = null; } } CertWithInfo cert = null; if (certsIncluded) { for (CertWithInfo bcCert : certs) { if (bcCert.cert.getIssuer().equals(caName) && bcCert.cert.getSerialNumber().getPositiveValue().equals(serialNumber)) { cert = bcCert; break; } } if (cert == null) { LOG.info("could not find certificate (issuer = '{}', serialNumber = '{}'", X509Util.getRFC4519Name(caName), serialNumber); } else { certs.remove(cert); } } Map<HashAlgoType, byte[]> certHashes = (cert == null) ? null : getCertHashes(cert.cert); CertRevocationInfo revocationInfo = new CertRevocationInfo(reasonCode, revTime, invalidityTime); CrlCertStatusInfo crlCertStatusInfo = CrlCertStatusInfo.getRevokedCertStatusInfo(revocationInfo, (cert == null) ? null : cert.profileName, certHashes); newCertStatusInfoMap.put(serialNumber, crlCertStatusInfo); } // end while(it.hasNext()) } // end if(it) for (CertWithInfo cert : certs) { Map<HashAlgoType, byte[]> certHashes = getCertHashes(cert.cert); CrlCertStatusInfo crlCertStatusInfo = CrlCertStatusInfo.getGoodCertStatusInfo(cert.profileName, certHashes); newCertStatusInfoMap.put(cert.cert.getSerialNumber().getPositiveValue(), crlCertStatusInfo); } this.initialized = false; this.lastmodifiedOfCrlFile = newLastModifed; this.fpOfCrlFile = newFp; this.lastModifiedOfDeltaCrlFile = newLastModifedOfDeltaCrl; this.fpOfDeltaCrlFile = newFpOfDeltaCrl; this.issuerHashMap.clear(); this.issuerHashMap.putAll(newIssuerHashMap); this.certStatusInfoMap.clear(); this.certStatusInfoMap.putAll(newCertStatusInfoMap); this.thisUpdate = newThisUpdate; this.nextUpdate = newNextUpdate; this.initializationFailed = false; this.initialized = true; updateCRLSuccessfull = true; LOG.info("updated CertStore {}", getName()); } catch (Exception e) { final String message = "could not execute initializeStore()"; if (LOG.isErrorEnabled()) { LOG.error(LogUtil.buildExceptionLogFormat(message), e.getClass().getName(), e.getMessage()); } LOG.debug(message, e); initializationFailed = true; initialized = true; } finally { if (updateCRLSuccessfull != null) { AuditLevel auditLevel; AuditStatus auditStatus; String eventType = "UPDATE_CRL"; if (updateCRLSuccessfull) { auditLevel = AuditLevel.INFO; auditStatus = AuditStatus.FAILED; } else { auditLevel = AuditLevel.ERROR; auditStatus = AuditStatus.SUCCESSFUL; } auditLogPCIEvent(auditLevel, eventType, auditStatus.name()); } } }