List of usage examples for org.bouncycastle.asn1.x509 CRLReason unspecified
int unspecified
To view the source code for org.bouncycastle.asn1.x509 CRLReason unspecified.
Click Source Link
From source file:be.fedict.trust.service.ocsp.OCSPResponderServlet.java
License:Open Source License
@Override protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String contentType = request.getContentType(); if (false == OCSP_REQUEST_CONTENT_TYPE.equals(contentType)) { LOG.error("incorrect content type: " + contentType); response.setStatus(HttpServletResponse.SC_BAD_REQUEST); return;/*from w w w . jav a2 s . com*/ } InputStream ocspRequestInputStream = request.getInputStream(); OCSPReq ocspReq = new OCSPReq(ocspRequestInputStream); Req[] requestList = ocspReq.getRequestList(); if (1 != requestList.length) { LOG.error("OCSP request list size not 1: " + requestList.length); response.setStatus(HttpServletResponse.SC_BAD_REQUEST); return; } Req ocspRequest = requestList[0]; CertificateID certificateID = ocspRequest.getCertID(); LOG.debug("certificate Id hash algo OID: " + certificateID.getHashAlgOID()); if (false == CertificateID.HASH_SHA1.equals(certificateID.getHashAlgOID())) { LOG.debug("only supporting SHA1 hash algo"); response.setStatus(HttpServletResponse.SC_BAD_REQUEST); return; } BigInteger serialNumber = certificateID.getSerialNumber(); byte[] issuerNameHash = certificateID.getIssuerNameHash(); byte[] issuerKeyHash = certificateID.getIssuerKeyHash(); LOG.debug("serial number: " + serialNumber); LOG.debug("issuer name hash: " + new String(Hex.encodeHex(issuerNameHash))); LOG.debug("issuer key hash: " + new String(Hex.encodeHex(issuerKeyHash))); Date revocationDate = this.validationService.validate(serialNumber, issuerNameHash, issuerKeyHash); PrivateKeyEntry privateKeyEntry = this.validationService.getPrivateKeyEntry(); if (null == privateKeyEntry) { LOG.debug("missing service identity"); response.setStatus(HttpServletResponse.SC_BAD_REQUEST); return; } X509Certificate certificate = (X509Certificate) privateKeyEntry.getCertificate(); PublicKey publicKey = certificate.getPublicKey(); PrivateKey privateKey = privateKeyEntry.getPrivateKey(); try { BasicOCSPRespGenerator basicOCSPRespGenerator = new BasicOCSPRespGenerator(publicKey); CertificateStatus certificateStatus; if (null == revocationDate) { certificateStatus = CertificateStatus.GOOD; } else { certificateStatus = new RevokedStatus(revocationDate, CRLReason.unspecified); } basicOCSPRespGenerator.addResponse(certificateID, certificateStatus); BasicOCSPResp basicOCSPResp = basicOCSPRespGenerator.generate("SHA1WITHRSA", privateKey, null, new Date(), BouncyCastleProvider.PROVIDER_NAME); OCSPRespGenerator ocspRespGenerator = new OCSPRespGenerator(); OCSPResp ocspResp = ocspRespGenerator.generate(OCSPRespGenerator.SUCCESSFUL, basicOCSPResp); response.setContentType("application/ocsp-response"); response.getOutputStream().write(ocspResp.getEncoded()); } catch (Exception e) { LOG.error("OCSP generator error: " + e.getMessage(), e); response.setStatus(HttpServletResponse.SC_BAD_REQUEST); return; } }
From source file:be.fedict.trust.test.PKITestUtils.java
License:Open Source License
public static OCSPResp createOcspResp(X509Certificate certificate, boolean revoked, X509Certificate issuerCertificate, X509Certificate ocspResponderCertificate, PrivateKey ocspResponderPrivateKey, String signatureAlgorithm) throws Exception { // request//from ww w .j a v a 2s . c o m OCSPReqBuilder ocspReqBuilder = new OCSPReqBuilder(); DigestCalculatorProvider digCalcProv = new JcaDigestCalculatorProviderBuilder() .setProvider(BouncyCastleProvider.PROVIDER_NAME).build(); CertificateID certId = new CertificateID(digCalcProv.get(CertificateID.HASH_SHA1), new JcaX509CertificateHolder(issuerCertificate), certificate.getSerialNumber()); ocspReqBuilder.addRequest(certId); OCSPReq ocspReq = ocspReqBuilder.build(); BasicOCSPRespBuilder basicOCSPRespBuilder = new JcaBasicOCSPRespBuilder( ocspResponderCertificate.getPublicKey(), digCalcProv.get(CertificateID.HASH_SHA1)); // request processing Req[] requestList = ocspReq.getRequestList(); for (Req ocspRequest : requestList) { CertificateID certificateID = ocspRequest.getCertID(); CertificateStatus certificateStatus; if (revoked) { certificateStatus = new RevokedStatus(new Date(), CRLReason.unspecified); } else { certificateStatus = CertificateStatus.GOOD; } basicOCSPRespBuilder.addResponse(certificateID, certificateStatus); } // basic response generation X509CertificateHolder[] chain = null; if (!ocspResponderCertificate.equals(issuerCertificate)) { chain = new X509CertificateHolder[] { new X509CertificateHolder(ocspResponderCertificate.getEncoded()), new X509CertificateHolder(issuerCertificate.getEncoded()) }; } ContentSigner contentSigner = new JcaContentSignerBuilder(signatureAlgorithm) .build(ocspResponderPrivateKey); BasicOCSPResp basicOCSPResp = basicOCSPRespBuilder.build(contentSigner, chain, new Date()); // response generation OCSPRespBuilder ocspRespBuilder = new OCSPRespBuilder(); OCSPResp ocspResp = ocspRespBuilder.build(OCSPRespBuilder.SUCCESSFUL, basicOCSPResp); return ocspResp; }
From source file:be.fedict.trust.test.PKITestUtils.java
License:Open Source License
public static OCSPResp createOcspResp(X509Certificate certificate, boolean revoked, X509Certificate issuerCertificate, X509Certificate ocspResponderCertificate, PrivateKey ocspResponderPrivateKey, String signatureAlgorithm, List<X509Certificate> ocspResponderCertificateChain) throws Exception { // request//from w w w . ja v a2s . co m OCSPReqBuilder ocspReqBuilder = new OCSPReqBuilder(); DigestCalculatorProvider digCalcProv = new JcaDigestCalculatorProviderBuilder() .setProvider(BouncyCastleProvider.PROVIDER_NAME).build(); CertificateID certId = new CertificateID(digCalcProv.get(CertificateID.HASH_SHA1), new JcaX509CertificateHolder(issuerCertificate), certificate.getSerialNumber()); ocspReqBuilder.addRequest(certId); OCSPReq ocspReq = ocspReqBuilder.build(); BasicOCSPRespBuilder basicOCSPRespBuilder = new JcaBasicOCSPRespBuilder( ocspResponderCertificate.getPublicKey(), digCalcProv.get(CertificateID.HASH_SHA1)); // request processing Req[] requestList = ocspReq.getRequestList(); for (Req ocspRequest : requestList) { CertificateID certificateID = ocspRequest.getCertID(); CertificateStatus certificateStatus; if (revoked) { certificateStatus = new RevokedStatus(new Date(), CRLReason.unspecified); } else { certificateStatus = CertificateStatus.GOOD; } basicOCSPRespBuilder.addResponse(certificateID, certificateStatus); } // basic response generation X509CertificateHolder[] chain; if (ocspResponderCertificateChain.isEmpty()) { chain = null; } else { chain = new X509CertificateHolder[ocspResponderCertificateChain.size()]; for (int idx = 0; idx < chain.length; idx++) { chain[idx] = new X509CertificateHolder(ocspResponderCertificateChain.get(idx).getEncoded()); } } ContentSigner contentSigner = new JcaContentSignerBuilder("SHA1withRSA").build(ocspResponderPrivateKey); BasicOCSPResp basicOCSPResp = basicOCSPRespBuilder.build(contentSigner, chain, new Date()); // response generation OCSPRespBuilder ocspRespBuilder = new OCSPRespBuilder(); OCSPResp ocspResp = ocspRespBuilder.build(OCSPRespBuilder.SUCCESSFUL, basicOCSPResp); return ocspResp; }
From source file:ee.ria.xroad.common.ocsp.OcspVerifierTest.java
License:Open Source License
/** * Tests that verifying succeeds if certificate status is revoked. * @throws Exception if an error occurs//from w ww .j a v a2s . c om */ @Test public void certStatusRevoked() throws Exception { Date thisUpdate = new DateTime().plusDays(1).toDate(); OCSPResp ocsp = OcspTestUtils.createOCSPResponse(subject, issuer, signer, signerKey, new RevokedStatus(new Date(), CRLReason.unspecified), thisUpdate, null); thrown.expectError(X_CERT_VALIDATION); OcspVerifier verifier = new OcspVerifier(GlobalConf.getOcspFreshnessSeconds(true), new OcspVerifierOptions(true)); verifier.verifyValidityAndStatus(ocsp, subject, issuer); }
From source file:eu.emi.security.authn.x509.helpers.pkipath.bc.RFC3280CertPathUtilitiesHelper.java
License:Open Source License
protected static void getCertStatus(Date validDate, X509CRL crl, Object cert, CertStatus certStatus) throws SimpleValidationErrorException { // use BC X509CRLObject so that indirect CRLs are supported X509CRLObject bcCRL = null;/*ww w .j a v a 2s .c o m*/ try { bcCRL = new X509CRLObject( new CertificateList((ASN1Sequence) ASN1Sequence.fromByteArray(crl.getEncoded()))); } catch (Exception e) { throw new SimpleValidationErrorException(ValidationErrorCode.unknownMsg, e); } // use BC X509CRLEntryObject, so that getCertificateIssuer() is // supported. X509CRLEntryObject crl_entry = (X509CRLEntryObject) bcCRL .getRevokedCertificate(CertPathValidatorUtilities.getSerialNumber(cert)); if (crl_entry != null && (CertPathValidatorUtilities.getEncodedIssuerPrincipal(cert) .equals(crl_entry.getCertificateIssuer()) || CertPathValidatorUtilities.getEncodedIssuerPrincipal(cert) .equals(crl.getIssuerX500Principal()))) { ASN1Enumerated reasonCode = null; if (crl_entry.hasExtensions()) { try { reasonCode = ASN1Enumerated.getInstance(CertPathValidatorUtilities.getExtensionValue(crl_entry, X509Extensions.ReasonCode.getId())); } catch (Exception e) { throw new SimpleValidationErrorException(ValidationErrorCode.crlReasonExtError, e); } } // for reason keyCompromise, caCompromise, aACompromise // or // unspecified if (!(validDate.getTime() < crl_entry.getRevocationDate().getTime()) || reasonCode == null || reasonCode.getValue().intValue() == 0 || reasonCode.getValue().intValue() == 1 || reasonCode.getValue().intValue() == 2 || reasonCode.getValue().intValue() == 8) { // (i) or (j) (1) if (reasonCode != null) { certStatus.setCertStatus(reasonCode.getValue().intValue()); } // (i) or (j) (2) else { certStatus.setCertStatus(CRLReason.unspecified); } certStatus.setRevocationDate(crl_entry.getRevocationDate()); } } }
From source file:net.maritimecloud.identityregistry.utils.CertificateUtil.java
License:Apache License
public int getCRLReasonFromString(String certReason) { int reason = CRLReason.unspecified; if ("unspecified".equals(certReason)) { reason = CRLReason.unspecified; } else if ("keycompromise".equals(certReason)) { reason = CRLReason.keyCompromise; } else if ("cacompromise".equals(certReason)) { reason = CRLReason.cACompromise; } else if ("affiliationchanged".equals(certReason)) { reason = CRLReason.affiliationChanged; } else if ("superseded".equals(certReason)) { reason = CRLReason.superseded; } else if ("cessationofoperation".equals(certReason)) { reason = CRLReason.cessationOfOperation; } else if ("certificateHold".equals(certReason)) { reason = CRLReason.certificateHold; } else if ("removefromcrl".equals(certReason)) { reason = CRLReason.removeFromCRL; } else if ("privilegewithdrawn".equals(certReason)) { reason = CRLReason.privilegeWithdrawn; } else if ("aacompromise".equals(certReason)) { reason = CRLReason.aACompromise; }/*from w w w . j a v a 2 s .c o m*/ return reason; }
From source file:net.maritimecloud.pki.Revocation.java
License:Apache License
/** * Returns the int value associated with a revocation status * * @param certReason The string representation of the status. Should be lowercase with no spaces or underscore * @return The int value associated with the revocation status */// w ww . j av a 2 s. co m public static int getCRLReasonFromString(String certReason) { int reason = CRLReason.unspecified; if ("unspecified".equals(certReason)) { reason = CRLReason.unspecified; } else if ("keycompromise".equals(certReason)) { reason = CRLReason.keyCompromise; } else if ("cacompromise".equals(certReason)) { reason = CRLReason.cACompromise; } else if ("affiliationchanged".equals(certReason)) { reason = CRLReason.affiliationChanged; } else if ("superseded".equals(certReason)) { reason = CRLReason.superseded; } else if ("cessationofoperation".equals(certReason)) { reason = CRLReason.cessationOfOperation; } else if ("certificatehold".equals(certReason)) { reason = CRLReason.certificateHold; } else if ("removefromcrl".equals(certReason)) { reason = CRLReason.removeFromCRL; } else if ("privilegewithdrawn".equals(certReason)) { reason = CRLReason.privilegeWithdrawn; } else if ("aacompromise".equals(certReason)) { reason = CRLReason.aACompromise; } return reason; }
From source file:net.sf.keystore_explorer.crypto.x509.X509Ext.java
License:Open Source License
private String getReasonCodeStringValue(byte[] value) throws IOException { // @formatter:off /*//from w w w . jav a2s .c o m * ReasonCode ::= { CRLReason } * * CRLReason ::= ASN1Enumerated { unspecified (0), keyCompromise (1), * cACompromise (2), affiliationChanged (3), superseded (4), * cessationOfOperation (5), certificateHold (6), removeFromCRL (8), * privilegeWithdrawn (9), aACompromise (10) } */ // @formatter:on StringBuilder sb = new StringBuilder(); CRLReason crlReason = CRLReason.getInstance(value); long crlReasonLong = crlReason.getValue().longValue(); if (crlReasonLong == CRLReason.unspecified) { sb.append(res.getString("UnspecifiedCrlReason")); } else if (crlReasonLong == CRLReason.keyCompromise) { sb.append(res.getString("KeyCompromiseCrlReason")); } else if (crlReasonLong == CRLReason.cACompromise) { sb.append(res.getString("CaCompromiseCrlReason")); } else if (crlReasonLong == CRLReason.affiliationChanged) { sb.append(res.getString("AffiliationChangedCrlReason")); } else if (crlReasonLong == CRLReason.superseded) { sb.append(res.getString("SupersededCrlReason")); } else if (crlReasonLong == CRLReason.cessationOfOperation) { sb.append(res.getString("CessationOfOperationCrlReason")); } else if (crlReasonLong == CRLReason.certificateHold) { sb.append(res.getString("CertificateHoldCrlReason")); } else if (crlReasonLong == CRLReason.removeFromCRL) { sb.append(res.getString("RemoveFromCrlCrlReason")); } else if (crlReasonLong == CRLReason.privilegeWithdrawn) { sb.append(res.getString("PrivilegeWithdrawnCrlReason")); } else // CRLReason.aACompromise { sb.append(res.getString("AaCompromiseCrlReason")); } sb.append(NEWLINE); return sb.toString(); }
From source file:org.candlepin.CRLBenchmark.java
License:Open Source License
@Setup(Level.Trial) public void buildMassiveCRL() throws Exception { X500Name issuer = new X500Name("CN=Test Issuer"); KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA"); generator.initialize(2048);// w ww . j a va2s. c om KeyPair keyPair = generator.generateKeyPair(); Provider bc = new BouncyCastleProvider(); ContentSigner signer = new JcaContentSignerBuilder("SHA256WithRSAEncryption").setProvider(bc) .build(keyPair.getPrivate()); X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuer, new Date()); crlBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(keyPair.getPublic())); /* With a CRL number of 127, incrementing it should cause the number of bytes in the length * portion of the TLV to increase by one.*/ crlBuilder.addExtension(X509Extension.cRLNumber, false, new CRLNumber(new BigInteger("127"))); for (int i = 0; i < 2000000; i++) { crlBuilder.addCRLEntry(new BigInteger(String.valueOf(i)), new Date(), CRLReason.unspecified); } X509CRLHolder holder = crlBuilder.build(signer); X509CRL crl = new JcaX509CRLConverter().setProvider(bc).getCRL(holder); crlFile = File.createTempFile("crl", ".der"); System.out.println("\nWrote test crl to " + crlFile.getAbsolutePath()); FileUtils.writeByteArrayToFile(crlFile, crl.getEncoded()); }
From source file:org.candlepin.CRLWriteBenchmark.java
License:Open Source License
@Benchmark
@Fork(value = 1, jvmArgsAppend = { "-Xloggc:gc_stream_write.log", "-verbose:gc", "-XX:+PrintGCDetails",
"-XX:+PrintGCTimeStamps" })
public void stream() {
OutputStream out = null;/*from ww w . java2 s . c om*/
try {
X509CRLStreamWriter stream = new X509CRLStreamWriter(crlFile, (RSAPrivateKey) keyPair.getPrivate(),
(RSAPublicKey) keyPair.getPublic());
stream.add(new BigInteger("25000000000"), new Date(), CRLReason.unspecified);
stream.preScan(crlFile).lock();
File newCrlFile = File.createTempFile("new_crl", ".der");
out = new BufferedOutputStream(new FileOutputStream(newCrlFile));
stream.write(out);
System.out.println("\nWrote new crl to " + newCrlFile.getAbsolutePath());
} catch (Exception e) {
e.printStackTrace();
} finally {
if (out != null) {
try {
out.close();
} catch (IOException e) {
e.printStackTrace();
}
}
}
}