List of usage examples for org.bouncycastle.asn1.x509 CRLNumber CRLNumber
public CRLNumber(BigInteger number)
From source file:be.fedict.trust.test.PKITestUtils.java
License:Open Source License
public static X509CRL generateCrl(PrivateKey issuerPrivateKey, X509Certificate issuerCertificate, DateTime thisUpdate, DateTime nextUpdate, List<String> deltaCrlUris, boolean deltaCrl, List<RevokedCertificate> revokedCertificates, String signatureAlgorithm, long numberOfRevokedCertificates) throws InvalidKeyException, CRLException, IllegalStateException, NoSuchAlgorithmException, SignatureException, CertificateException, IOException, OperatorCreationException { X500Name issuerName = new X500Name(issuerCertificate.getSubjectX500Principal().toString()); X509v2CRLBuilder x509v2crlBuilder = new X509v2CRLBuilder(issuerName, thisUpdate.toDate()); x509v2crlBuilder.setNextUpdate(nextUpdate.toDate()); for (RevokedCertificate revokedCertificate : revokedCertificates) { x509v2crlBuilder.addCRLEntry(revokedCertificate.serialNumber, revokedCertificate.revocationDate.toDate(), CRLReason.privilegeWithdrawn); }//www . j av a 2s .c o m if (-1 != numberOfRevokedCertificates) { SecureRandom secureRandom = new SecureRandom(); while (numberOfRevokedCertificates-- > 0) { BigInteger serialNumber = new BigInteger(128, secureRandom); Date revocationDate = new Date(); x509v2crlBuilder.addCRLEntry(serialNumber, revocationDate, CRLReason.privilegeWithdrawn); } } JcaX509ExtensionUtils extensionUtils = new JcaX509ExtensionUtils(); x509v2crlBuilder.addExtension(Extension.authorityKeyIdentifier, false, extensionUtils.createAuthorityKeyIdentifier(issuerCertificate)); x509v2crlBuilder.addExtension(Extension.cRLNumber, false, new CRLNumber(BigInteger.ONE)); if (null != deltaCrlUris && !deltaCrlUris.isEmpty()) { DistributionPoint[] deltaCrlDps = new DistributionPoint[deltaCrlUris.size()]; for (int i = 0; i < deltaCrlUris.size(); i++) { deltaCrlDps[i] = getDistributionPoint(deltaCrlUris.get(i)); } CRLDistPoint crlDistPoint = new CRLDistPoint((DistributionPoint[]) deltaCrlDps); x509v2crlBuilder.addExtension(Extension.freshestCRL, false, crlDistPoint); } if (deltaCrl) { x509v2crlBuilder.addExtension(Extension.deltaCRLIndicator, true, new CRLNumber(BigInteger.ONE)); } AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find(signatureAlgorithm); AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId); AsymmetricKeyParameter asymmetricKeyParameter = PrivateKeyFactory.createKey(issuerPrivateKey.getEncoded()); ContentSigner contentSigner = new BcRSAContentSignerBuilder(sigAlgId, digAlgId) .build(asymmetricKeyParameter); X509CRLHolder x509crlHolder = x509v2crlBuilder.build(contentSigner); byte[] crlValue = x509crlHolder.getEncoded(); CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); X509CRL crl = (X509CRL) certificateFactory.generateCRL(new ByteArrayInputStream(crlValue)); return crl; }
From source file:chapter7.X509CRLExample.java
/** * * @param caCert// w ww .ja v a 2 s .c o m * @param caKey * @param revokedSerialNumber * @return * @throws java.lang.Exception */ public static X509CRL createCRL(final X509Certificate caCert, final PrivateKey caKey, final BigInteger revokedSerialNumber) throws Exception { X509V2CRLGenerator crlGen = new X509V2CRLGenerator(); Date now = new Date(); crlGen.setIssuerDN(caCert.getSubjectX500Principal()); crlGen.setThisUpdate(now); crlGen.setNextUpdate(new Date(now.getTime() + 100000)); crlGen.setSignatureAlgorithm(CryptoDefs.Algorithm.SHA256withRSAEncryption.getName()); crlGen.addCRLEntry(revokedSerialNumber, now, CRLReason.PRIVILEGE_WITHDRAWN.ordinal()); crlGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(caCert)); crlGen.addExtension(X509Extensions.CRLNumber, false, new CRLNumber(BigInteger.valueOf(1))); return crlGen.generateX509CRL(caKey, CryptoDefs.Provider.BC.getName()); }
From source file:cybervillains.ca.Generator.java
License:Open Source License
public static void main(String[] args) { File newCertsDir = new File(NEW_CERTS_DIR_NAME); newCertsDir.mkdirs();//from w ww .j a va 2s . c o m // Create a new, blank KeyStore Manager KeyStoreManager mgr = new KeyStoreManager(newCertsDir, "blank_crl.pem"); X509V2CRLGenerator crlGen = new X509V2CRLGenerator(); Date now = new Date(); X509Certificate caCrlCert = null; try { caCrlCert = mgr.getSigningCert(); PrivateKey caCrlPrivateKey = mgr.getSigningPrivateKey(); crlGen.setIssuerDN(mgr.getSigningCert().getSubjectX500Principal()); crlGen.setThisUpdate(now); crlGen.setNextUpdate(mgr.getSigningCert().getNotAfter()); crlGen.setSignatureAlgorithm(mgr.getSigningCert().getSigAlgName()); crlGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(caCrlCert)); crlGen.addExtension(X509Extensions.CRLNumber, false, new CRLNumber(BigInteger.ONE)); X509CRL crl = crlGen.generate(caCrlPrivateKey); // You have to manually convert this file to it's PEM equivalent using OpenSSL: // > openssl crl -inform der -in blank_crl.dec -out blank_crl.pem // Save the Certificate in Binary (DEC) format File certRevoc = new File(newCertsDir, "blank_crl.dec"); FileOutputStream cerOut = new FileOutputStream(certRevoc); byte[] buf = crl.getEncoded(); cerOut.write(buf); cerOut.flush(); cerOut.close(); // Convert the generated DEC to PEM using OpenSSL Process p = Runtime.getRuntime().exec(OPENSSL_CMD_DEC_TO_PEM); p.waitFor(); } catch (KeyStoreException e) { e.printStackTrace(); } catch (IOException e) { e.printStackTrace(); } catch (CertificateParsingException e) { e.printStackTrace(); } catch (NoSuchAlgorithmException e) { e.printStackTrace(); } catch (UnrecoverableKeyException e) { e.printStackTrace(); } catch (InvalidKeyException e) { e.printStackTrace(); } catch (SignatureException e) { e.printStackTrace(); } catch (CRLException e) { e.printStackTrace(); } catch (InterruptedException e) { e.printStackTrace(); } }
From source file:de.carne.certmgr.store.provider.bouncycastle.BouncyCastleStoreProvider.java
License:Open Source License
@Override public X509CRL generateAndSignCRL(X509CRL currentCRL, X509CRLParams crlParams, Map<BigInteger, RevokeReason> revokeSerials, KeyPair issuerKey, X509Certificate issuerCRT) throws IOException, GeneralSecurityException { Date lastUpdate = Date .from(crlParams.getLastUpdate().atStartOfDay().atZone(ZoneId.systemDefault()).toInstant()); JcaX509v2CRLBuilder crlBuilder = new JcaX509v2CRLBuilder(issuerCRT.getSubjectX500Principal(), lastUpdate); LocalDate nextUpdateParam = crlParams.getNextUpdate(); if (nextUpdateParam != null) { crlBuilder.setNextUpdate(// ww w. j ava 2s .com Date.from(nextUpdateParam.atStartOfDay().atZone(ZoneId.systemDefault()).toInstant())); } CRLNumber crlNumber; if (currentCRL != null) { X509CRLHolder crlHolder = new X509CRLHolder(currentCRL.getEncoded()); ASN1Integer currentSerial = (ASN1Integer) crlHolder.getExtension(Extension.cRLNumber).getParsedValue(); crlNumber = new CRLNumber(currentSerial.getValue().add(BigInteger.ONE)); } else { crlNumber = new CRLNumber(BigInteger.ONE); } for (Map.Entry<BigInteger, RevokeReason> revokeListEntry : revokeSerials.entrySet()) { crlBuilder.addCRLEntry(revokeListEntry.getKey(), lastUpdate, revokeListEntry.getValue().value()); } JcaX509ExtensionUtils extensionUtils = new JcaX509ExtensionUtils(); crlBuilder.addExtension(Extension.authorityKeyIdentifier, false, extensionUtils.createAuthorityKeyIdentifier(issuerCRT.getPublicKey())); crlBuilder.addExtension(Extension.cRLNumber, false, crlNumber); ContentSigner crlSigner; try { crlSigner = new JcaContentSignerBuilder(crlParams.getSigAlg()).build(issuerKey.getPrivate()); } catch (OperatorCreationException e) { throw new StoreProviderException(e.getMessage(), e); } return new JcaX509CRLConverter().getCRL(crlBuilder.build(crlSigner)); }
From source file:io.aos.crypto.spl07.X509CRLExample.java
License:Apache License
public static X509CRL createCRL(X509Certificate caCert, PrivateKey caKey, BigInteger revokedSerialNumber) throws Exception { X509V2CRLGenerator crlGen = new X509V2CRLGenerator(); Date now = new Date(); crlGen.setIssuerDN(caCert.getSubjectX500Principal()); crlGen.setThisUpdate(now);//from ww w . j a va 2 s . c o m crlGen.setNextUpdate(new Date(now.getTime() + 100000)); crlGen.setSignatureAlgorithm("SHA256WithRSAEncryption"); crlGen.addCRLEntry(revokedSerialNumber, now, CRLReason.privilegeWithdrawn); crlGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(caCert)); crlGen.addExtension(X509Extensions.CRLNumber, false, new CRLNumber(BigInteger.valueOf(1))); return crlGen.generateX509CRL(caKey, "BC"); }
From source file:net.ripe.rpki.commons.crypto.crl.X509CrlBuilder.java
License:BSD License
public X509CrlBuilder withNumber(BigInteger number) { this.crlNumber = new CRLNumber(number); return this; }
From source file:org.apache.hadoop.security.ssl.KeyStoreTestUtil.java
License:Apache License
public static X509CRL generateCRL(X509Certificate caCert, PrivateKey caPrivateKey, String signAlgorith, X509CRL existingCRL, BigInteger serialNumberToRevoke) throws GeneralSecurityException { LocalDate currentTime = LocalDate.now(); Date nowDate = Date.from(currentTime.atStartOfDay(ZoneId.systemDefault()).toInstant()); LocalDate nextUpdate = currentTime.plus(1, ChronoUnit.WEEKS); Date nextUpdateDate = Date.from(nextUpdate.atStartOfDay(ZoneId.systemDefault()).toInstant()); X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(new X500Name(caCert.getSubjectX500Principal().getName()), nowDate);//from w w w . j a va 2 s .co m crlBuilder.setNextUpdate(nextUpdateDate); if (existingCRL != null) { crlBuilder.addCRL(new JcaX509CRLHolder(existingCRL)); } if (serialNumberToRevoke != null) { crlBuilder.addCRLEntry(serialNumberToRevoke, nowDate, CRLReason.privilegeWithdrawn); } JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); try { crlBuilder.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert.getPublicKey())); crlBuilder.addExtension(Extension.cRLNumber, false, new CRLNumber(BigInteger.ONE)); X509CRLHolder crlHolder = crlBuilder .build(new JcaContentSignerBuilder(signAlgorith).setProvider("BC").build(caPrivateKey)); return new JcaX509CRLConverter().setProvider("BC").getCRL(crlHolder); } catch (CertIOException | OperatorCreationException ex) { throw new GeneralSecurityException(ex); } }
From source file:org.apache.poi.poifs.crypt.PkiTestUtils.java
License:Apache License
public static X509CRL generateCrl(X509Certificate issuer, PrivateKey issuerPrivateKey) throws CertificateEncodingException, IOException, CRLException, OperatorCreationException { X509CertificateHolder holder = new X509CertificateHolder(issuer.getEncoded()); X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(holder.getIssuer(), new Date()); crlBuilder.setNextUpdate(new Date(new Date().getTime() + 100000)); JcaContentSignerBuilder contentBuilder = new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC"); CRLNumber crlNumber = new CRLNumber(new BigInteger("1234")); crlBuilder.addExtension(Extension.cRLNumber, false, crlNumber); X509CRLHolder x509Crl = crlBuilder.build(contentBuilder.build(issuerPrivateKey)); return new JcaX509CRLConverter().setProvider("BC").getCRL(x509Crl); }
From source file:org.apache.synapse.transport.certificatevalidation.CRLVerifierTest.java
License:Apache License
/** * Creates a fake CRL for the fake CA. The fake certificate with the given revokedSerialNumber will be marked * as Revoked in the returned CRL.//from ww w . j a v a 2s . com * @param caCert the fake CA certificate. * @param caPrivateKey private key of the fake CA. * @param revokedSerialNumber the serial number of the fake peer certificate made to be marked as revoked. * @return the created fake CRL * @throws Exception */ public static X509CRL createCRL(X509Certificate caCert, PrivateKey caPrivateKey, BigInteger revokedSerialNumber) throws Exception { X509V2CRLGenerator crlGen = new X509V2CRLGenerator(); Date now = new Date(); crlGen.setIssuerDN(caCert.getSubjectX500Principal()); crlGen.setThisUpdate(now); crlGen.setNextUpdate(new Date(now.getTime() + TestConstants.NEXT_UPDATE_PERIOD)); crlGen.setSignatureAlgorithm("SHA256WithRSAEncryption"); crlGen.addCRLEntry(revokedSerialNumber, now, CRLReason.privilegeWithdrawn); crlGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(caCert)); crlGen.addExtension(X509Extensions.CRLNumber, false, new CRLNumber(BigInteger.valueOf(1))); return crlGen.generateX509CRL(caPrivateKey, "BC"); }
From source file:org.apache.zookeeper.server.quorum.QuorumSSLTest.java
License:Apache License
private void buildCRL(X509Certificate x509Certificate, String crlPath) throws Exception { X509v2CRLBuilder builder = new JcaX509v2CRLBuilder(x509Certificate.getIssuerX500Principal(), certStartTime); builder.addCRLEntry(x509Certificate.getSerialNumber(), certStartTime, CRLReason.cACompromise); builder.setNextUpdate(certEndTime);// www . jav a 2s. com builder.addExtension(Extension.authorityKeyIdentifier, false, new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(rootCertificate)); builder.addExtension(Extension.cRLNumber, false, new CRLNumber(new BigInteger("1000"))); X509CRLHolder cRLHolder = builder.build(contentSigner); PemWriter pemWriter = new PemWriter(new FileWriter(crlPath)); pemWriter.writeObject(new MiscPEMGenerator(cRLHolder)); pemWriter.flush(); pemWriter.close(); }