List of usage examples for org.bouncycastle.asn1.x509 CRLReason removeFromCRL
int removeFromCRL
To view the source code for org.bouncycastle.asn1.x509 CRLReason removeFromCRL.
Click Source Link
From source file:eu.emi.security.authn.x509.helpers.pkipath.bc.RFC3280CertPathUtilitiesHelper.java
License:Open Source License
/** * Checks a distribution point for revocation information for the * certificate <code>cert</code>. * //from w ww .ja v a 2 s . c o m * @param dp The distribution point to consider. * @param paramsPKIX PKIX parameters. * @param cert Certificate to check if it is revoked. * @param validDate The date when the certificate revocation status * should be checked. * @param defaultCRLSignCert The issuer certificate of the certificate * <code>cert</code>. * @param defaultCRLSignKey The public key of the issuer certificate * <code>defaultCRLSignCert</code>. * @param certStatus The current certificate revocation status. * @param reasonMask The reasons mask which is already checked. * @param certPathCerts The certificates of the certification path. * @throws AnnotatedException if the certificate is revoked or the * status cannot be checked or some error occurs. */ private static void checkCRL(DistributionPoint dp, ExtendedPKIXParameters paramsPKIX, X509Certificate cert, Date validDate, X509Certificate defaultCRLSignCert, PublicKey defaultCRLSignKey, CertStatus certStatus, ReasonsMask reasonMask, List<?> certPathCerts) throws SimpleValidationErrorException { Date currentDate = new Date(System.currentTimeMillis()); if (validDate.getTime() > currentDate.getTime()) { throw new IllegalArgumentException("CRL validation time is in future: " + validDate); } // (a) /* * We always get timely valid CRLs, so there is no step (a) (1). * "locally cached" CRLs are assumed to be in getStore(), * additional CRLs must be enabled in the ExtendedPKIXParameters * and are in getAdditionalStore() */ Set<?> crls = CertPathValidatorUtilities.getCompleteCRLs2(dp, cert, currentDate, paramsPKIX); boolean validCrlFound = false; SimpleValidationErrorException lastException = null; Iterator<?> crl_iter = crls.iterator(); while (crl_iter.hasNext() && certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonMask.isAllReasons()) { try { X509CRL crl = (X509CRL) crl_iter.next(); // (d) ReasonsMask interimReasonsMask = processCRLD2(crl, dp); // (e) /* * The reasons mask is updated at the end, so * only valid CRLs can update it. If this CRL * does not contain new reasons it must be * ignored. */ if (!interimReasonsMask.hasNewReasons(reasonMask)) { continue; } // (f) Set<?> keys = processCRLF2(crl, cert, defaultCRLSignCert, defaultCRLSignKey, paramsPKIX, certPathCerts); // (g) PublicKey key = processCRLG2(crl, keys); X509CRL deltaCRL = null; if (paramsPKIX.isUseDeltasEnabled()) { // get delta CRLs Set<?> deltaCRLs = CertPathValidatorUtilities.getDeltaCRLs2(currentDate, paramsPKIX, crl); // we only want one valid delta CRL // (h) deltaCRL = processCRLH2(deltaCRLs, key); } /* * CRL must be be valid at the current time, not * the validation time. If a certificate is * revoked with reason keyCompromise, * cACompromise, it can be used for forgery, * also for the past. This reason may not be * contained in older CRLs. */ /* * in the chain model signatures stay valid also * after the certificate has been expired, so * they do not have to be in the CRL validity * time */ if (paramsPKIX.getValidityModel() != ExtendedPKIXParameters.CHAIN_VALIDITY_MODEL) { /* * if a certificate has expired, but was * revoked, it is not more in the CRL, * so it would be regarded as valid if * the first check is not done */ if (cert.getNotAfter().getTime() < crl.getThisUpdate().getTime()) { throw new SimpleValidationErrorException(ValidationErrorCode.noValidCrlFound); } } processCRLB1_2(dp, cert, crl); // (b) (2) processCRLB2_2(dp, cert, crl); // (c) processCRLC2(deltaCRL, crl, paramsPKIX); // (i) processCRLI(validDate, deltaCRL, cert, certStatus, paramsPKIX); // (j) processCRLJ(validDate, crl, cert, certStatus); // (k) if (certStatus.getCertStatus() == CRLReason.removeFromCRL) { certStatus.setCertStatus(CertStatus.UNREVOKED); } // update reasons mask reasonMask.addReasons(interimReasonsMask); Set<?> criticalExtensions = crl.getCriticalExtensionOIDs(); if (criticalExtensions != null) { criticalExtensions = new HashSet(criticalExtensions); criticalExtensions.remove(X509Extensions.IssuingDistributionPoint.getId()); criticalExtensions.remove(X509Extensions.DeltaCRLIndicator.getId()); if (!criticalExtensions.isEmpty()) { throw new SimpleValidationErrorException(ValidationErrorCode.crlUnknownCritExt, criticalExtensions.iterator().next()); } } if (deltaCRL != null) { criticalExtensions = deltaCRL.getCriticalExtensionOIDs(); if (criticalExtensions != null) { criticalExtensions = new HashSet(criticalExtensions); criticalExtensions.remove(X509Extensions.IssuingDistributionPoint.getId()); criticalExtensions.remove(X509Extensions.DeltaCRLIndicator.getId()); if (!criticalExtensions.isEmpty()) { throw new SimpleValidationErrorException(ValidationErrorCode.crlUnknownCritExt, criticalExtensions.iterator().next()); } } } validCrlFound = true; } catch (SimpleValidationErrorException e) { lastException = e; } } if (!validCrlFound) { throw lastException; } }
From source file:net.maritimecloud.identityregistry.utils.CertificateUtil.java
License:Apache License
public int getCRLReasonFromString(String certReason) { int reason = CRLReason.unspecified; if ("unspecified".equals(certReason)) { reason = CRLReason.unspecified; } else if ("keycompromise".equals(certReason)) { reason = CRLReason.keyCompromise; } else if ("cacompromise".equals(certReason)) { reason = CRLReason.cACompromise; } else if ("affiliationchanged".equals(certReason)) { reason = CRLReason.affiliationChanged; } else if ("superseded".equals(certReason)) { reason = CRLReason.superseded; } else if ("cessationofoperation".equals(certReason)) { reason = CRLReason.cessationOfOperation; } else if ("certificateHold".equals(certReason)) { reason = CRLReason.certificateHold; } else if ("removefromcrl".equals(certReason)) { reason = CRLReason.removeFromCRL; } else if ("privilegewithdrawn".equals(certReason)) { reason = CRLReason.privilegeWithdrawn; } else if ("aacompromise".equals(certReason)) { reason = CRLReason.aACompromise; }// w w w. j a va 2s . c o m return reason; }
From source file:net.maritimecloud.pki.Revocation.java
License:Apache License
/** * Returns the int value associated with a revocation status * * @param certReason The string representation of the status. Should be lowercase with no spaces or underscore * @return The int value associated with the revocation status *///w w w. j a v a 2 s .co m public static int getCRLReasonFromString(String certReason) { int reason = CRLReason.unspecified; if ("unspecified".equals(certReason)) { reason = CRLReason.unspecified; } else if ("keycompromise".equals(certReason)) { reason = CRLReason.keyCompromise; } else if ("cacompromise".equals(certReason)) { reason = CRLReason.cACompromise; } else if ("affiliationchanged".equals(certReason)) { reason = CRLReason.affiliationChanged; } else if ("superseded".equals(certReason)) { reason = CRLReason.superseded; } else if ("cessationofoperation".equals(certReason)) { reason = CRLReason.cessationOfOperation; } else if ("certificatehold".equals(certReason)) { reason = CRLReason.certificateHold; } else if ("removefromcrl".equals(certReason)) { reason = CRLReason.removeFromCRL; } else if ("privilegewithdrawn".equals(certReason)) { reason = CRLReason.privilegeWithdrawn; } else if ("aacompromise".equals(certReason)) { reason = CRLReason.aACompromise; } return reason; }
From source file:net.sf.keystore_explorer.crypto.x509.X509Ext.java
License:Open Source License
private String getReasonCodeStringValue(byte[] value) throws IOException { // @formatter:off /*//from ww w .j a va2s .c o m * ReasonCode ::= { CRLReason } * * CRLReason ::= ASN1Enumerated { unspecified (0), keyCompromise (1), * cACompromise (2), affiliationChanged (3), superseded (4), * cessationOfOperation (5), certificateHold (6), removeFromCRL (8), * privilegeWithdrawn (9), aACompromise (10) } */ // @formatter:on StringBuilder sb = new StringBuilder(); CRLReason crlReason = CRLReason.getInstance(value); long crlReasonLong = crlReason.getValue().longValue(); if (crlReasonLong == CRLReason.unspecified) { sb.append(res.getString("UnspecifiedCrlReason")); } else if (crlReasonLong == CRLReason.keyCompromise) { sb.append(res.getString("KeyCompromiseCrlReason")); } else if (crlReasonLong == CRLReason.cACompromise) { sb.append(res.getString("CaCompromiseCrlReason")); } else if (crlReasonLong == CRLReason.affiliationChanged) { sb.append(res.getString("AffiliationChangedCrlReason")); } else if (crlReasonLong == CRLReason.superseded) { sb.append(res.getString("SupersededCrlReason")); } else if (crlReasonLong == CRLReason.cessationOfOperation) { sb.append(res.getString("CessationOfOperationCrlReason")); } else if (crlReasonLong == CRLReason.certificateHold) { sb.append(res.getString("CertificateHoldCrlReason")); } else if (crlReasonLong == CRLReason.removeFromCRL) { sb.append(res.getString("RemoveFromCrlCrlReason")); } else if (crlReasonLong == CRLReason.privilegeWithdrawn) { sb.append(res.getString("PrivilegeWithdrawnCrlReason")); } else // CRLReason.aACompromise { sb.append(res.getString("AaCompromiseCrlReason")); } sb.append(NEWLINE); return sb.toString(); }
From source file:org.qipki.crypto.x509.RevocationReason.java
License:Open Source License
public static RevocationReason valueOf(int reason) { switch (reason) { case CRLReason.unspecified: return unspecified; case CRLReason.keyCompromise: return keyCompromise; case CRLReason.cACompromise: return cACompromise; case CRLReason.affiliationChanged: return affiliationChanged; case CRLReason.superseded: return superseded; case CRLReason.cessationOfOperation: return cessationOfOperation; case CRLReason.certificateHold: return certificateHold; case CRLReason.removeFromCRL: return removeFromCRL; case CRLReason.privilegeWithdrawn: return privilegeWithdrawn; case CRLReason.aACompromise: return aACompromise; default://from ww w . j a va 2 s .co m throw new IllegalArgumentException("Unknown revocation reason: " + reason); } }
From source file:org.signserver.module.xades.validator.AbstractCustomCertPathChecker.java
License:Open Source License
private void verifyCRL(X509Certificate certificate, X509CRL crl, X509Certificate issuerCertificate, final URL crlURL) throws SignServerException { try {/*www . j ava 2 s.c om*/ crl.verify(issuerCertificate.getPublicKey(), "BC"); } catch (Exception e) { final String msg = "Exception on verifying CRL fetched from url: " + crlURL.toString() + " using CA certificate : " + CertTools.getSubjectDN(issuerCertificate); if (LOG.isDebugEnabled()) { LOG.debug(msg, e); } throw new SignServerException(msg, e); } // now that crl is verified check getThisUpdate < now, getNextUpdate > // now // although getNextUpdate is optional RFC 3280 mandates it and does not // specify how to interpret the absence of the field if (crl.getThisUpdate() != null && (new Date()).compareTo(crl.getThisUpdate()) <= 0) { final String msg = "CRL for certificate : " + CertTools.getSubjectDN(certificate) + " reported thisUpdate as : " + crl.getThisUpdate().toString() + " which is later than current date."; LOG.debug(msg); throw new SignServerException(msg); } if (crl.getNextUpdate() != null && (new Date()).compareTo(crl.getNextUpdate()) >= 0) { final String msg = "CRL for certificate : " + CertTools.getSubjectDN(certificate) + " reported nextUpdate as : " + crl.getNextUpdate().toString() + " which is earlier than current date."; LOG.debug(msg); throw new SignServerException(msg); } // check if certificate is revoked X509CRLEntry crlEntry = crl.getRevokedCertificate(certificate); if (crlEntry != null) { if (crlEntry.hasExtensions()) { int reasonCode = CRLReason.unspecified; try { reasonCode = ValidationUtils.getReasonCodeFromCRLEntry(crlEntry); } catch (IOException e) { throw new SignServerException("can not retrieve reason code", e); } if (reasonCode == CRLReason.removeFromCRL) { // this is tricky, though the certificate is found in CRL it // is not revoked, it is activated back from on-hold // so it is actually not revoked ! } else { // certificate is revoked , append reason code and throw // exception so we stop checking String msg = " revocation reason code : " + reasonCode; throw new CRLCertRevokedException(msg, reasonCode); } } } }
From source file:org.signserver.validationservice.server.OCSPCRLPathChecker.java
License:Open Source License
/** * try to get revocation status of the x509Cert using passed in CRL URL * /*from w w w.j a v a2s . co m*/ * if CRL is accessible , and signed by CA issuing x509Cert , and if * x509Cert is not revoked returns otherwise throws exception * * @param x509Cert * - certificate whose revocation status is checked * @param crlURL * - url of the CRL * @throws SignServerException * - if something bad (other than certificate being revoked) * happens * @throws CRLCertRevokedException * - if certificate is revoked */ private void parseAndVerifyCRL(X509Certificate x509Cert, URL crlURL) throws SignServerException, CRLCertRevokedException { X509CRL certCRL = null; String msg; certCRL = ValidationUtils.fetchCRLFromURL(crlURL); try { certCRL.verify(cACert.getPublicKey(), "BC"); } catch (Exception e) { msg = "Exception on verifying CRL fetched from url: " + crlURL.toString() + " using CA certificate : " + CertTools.getSubjectDN(cACert); log.error(msg, e); throw new SignServerException(msg, e); } // now that crl is verified check getThisUpdate < now, getNextUpdate > // now // although getNextUpdate is optional RFC 3280 mandates it and does not // specify how to interpret the absence of the field if (certCRL.getThisUpdate() != null && (new Date()).compareTo(certCRL.getThisUpdate()) <= 0) { msg = "CRL for certificate : " + CertTools.getSubjectDN(x509Cert) + " reported thisUpdate as : " + certCRL.getThisUpdate().toString() + " which is later than current date."; log.debug(msg); throw new SignServerException(msg); } if (certCRL.getNextUpdate() != null && (new Date()).compareTo(certCRL.getNextUpdate()) >= 0) { msg = "CRL for certificate : " + CertTools.getSubjectDN(x509Cert) + " reported nextUpdate as : " + certCRL.getNextUpdate().toString() + " which is earlier than current date."; log.debug(msg); throw new SignServerException(msg); } // check if certificate is revoked X509CRLEntry crlEntry = certCRL.getRevokedCertificate(x509Cert); if (crlEntry != null) { // msg = "The certificate " + CertTools.getSubjectDN(x509Cert) // + " has been revoked on " + crlEntry.getRevocationDate(); // TODO : crlEntry extension is OPTIONAL ?? if it is then throw // exception if it has no extension if (crlEntry.hasExtensions()) { int reasonCode = CRLReason.unspecified; try { reasonCode = ValidationUtils.getReasonCodeFromCRLEntry(crlEntry); } catch (IOException e) { throw new SignServerException("can not retrieve reason code", e); } if (reasonCode == CRLReason.removeFromCRL) { // this is tricky, though the certificate is found in CRL it // is not revoked, it is activated back from on-hold // so it is actually not revoked ! } else { // certificate is revoked , append reason code and throw // exception so we stop checking msg = " revocation reason code : " + reasonCode; throw new CRLCertRevokedException(msg, reasonCode); } } } }