List of usage examples for org.bouncycastle.asn1.x509 Extension cRLDistributionPoints
ASN1ObjectIdentifier cRLDistributionPoints
To view the source code for org.bouncycastle.asn1.x509 Extension cRLDistributionPoints.
Click Source Link
From source file:org.cesecore.util.PKIXCertRevocationStatusChecker.java
License:Open Source License
/** * Checks the revocation status of 'cert'; first by sending on OCSP request. If that fails for any reason, then through a CRL *///from w w w . j a va2 s .c o m @Override public void check(Certificate cert, Collection<String> unresolvedCritExts) throws CertPathValidatorException { clearResult(); Certificate cacert = getCaCert(cert); if (cacert == null) { final String msg = "No issuer CA certificate was found. An issuer CA certificate is needed to create an OCSP request and to get the right CRL"; log.info(msg); throw new CertPathValidatorException(msg); } ArrayList<String> ocspurls = getOcspUrls(cert); if (!ocspurls.isEmpty()) { BigInteger certSerialnumber = CertTools.getSerialNumber(cert); byte[] nonce = new byte[16]; final Random randomSource = new Random(); randomSource.nextBytes(nonce); OCSPReq req = null; try { req = getOcspRequest(cacert, certSerialnumber, nonce); } catch (CertificateEncodingException | OCSPException e) { if (log.isDebugEnabled()) { log.debug("Failed to create OCSP request. " + e.getLocalizedMessage()); } fallBackToCrl(cert, CertTools.getSubjectDN(cacert)); return; } SingleResp ocspResp = null; for (String url : ocspurls) { ocspResp = getOCSPResponse(url, req, cert, nonce, OCSPRespBuilder.SUCCESSFUL, 200); if (ocspResp != null) { log.info("Obtained OCSP response from " + url); break; } else { if (log.isDebugEnabled()) { log.debug("Failed to obtain an OCSP reponse from " + url); } } } if (ocspResp == null) { log.info( "Failed to check certificate revocation status using OCSP. Falling back to check using CRL"); fallBackToCrl(cert, CertTools.getSubjectDN(cacert)); } else { CertificateStatus status = ocspResp.getCertStatus(); this.ocspResponse = ocspResp; if (log.isDebugEnabled()) { log.debug("The certificate status is: " + (status == null ? "Good" : status.toString())); } if (status != null) { // status==null -> certificate OK throw new CertPathValidatorException("Certificate with serialnumber " + CertTools.getSerialNumberAsString(cert) + " was revoked"); } if (unresolvedCritExts != null) { unresolvedCritExts.remove(Extension.authorityInfoAccess.getId()); } } } else { fallBackToCrl(cert, CertTools.getSubjectDN(cacert)); if (unresolvedCritExts != null) { unresolvedCritExts.remove(Extension.cRLDistributionPoints.getId()); } } }
From source file:org.demoiselle.signer.core.extension.BasicCertificate.java
License:Open Source License
/** * /*from w ww. j av a2 s.c o m*/ * @return A list of ulrs that inform the location of the certificate revocation lists * @throws IOException exception */ public List<String> getCRLDistributionPoint() throws IOException { List<String> crlUrls = new ArrayList<>(); ASN1Primitive primitive = getExtensionValue(Extension.cRLDistributionPoints.getId()); if (primitive == null) { return null; } CRLDistPoint crlDistPoint = CRLDistPoint.getInstance(primitive); DistributionPoint[] distributionPoints = crlDistPoint.getDistributionPoints(); for (DistributionPoint distributionPoint : distributionPoints) { DistributionPointName dpn = distributionPoint.getDistributionPoint(); // Look for URIs in fullName if (dpn != null) { if (dpn.getType() == DistributionPointName.FULL_NAME) { GeneralName[] genNames = GeneralNames.getInstance(dpn.getName()).getNames(); for (GeneralName genName : genNames) { if (genName.getTagNo() == GeneralName.uniformResourceIdentifier) { String url = DERIA5String.getInstance(genName.getName()).getString(); crlUrls.add(url); logger.info("Adicionando a url {}", url); } } } } } return crlUrls; }
From source file:org.dihedron.crypto.crl.CRL.java
License:Open Source License
/** * Extracts all CRL distribution point URLs from the "CRL Distribution Point" * extension in a X.509 certificate. If CRL distribution point extension is * unavailable, returns an empty list./*from w w w . ja va2 s. c o m*/ */ public static List<String> getCrlDistributionPoints(X509Certificate certificate) throws CertificateParsingException, IOException { List<String> urls = new ArrayList<>(); byte[] extension = certificate.getExtensionValue(Extension.cRLDistributionPoints.getId()); if (extension == null) { // return an empty list return urls; } try (ASN1InputStream oAsnInStream = new ASN1InputStream(new ByteArrayInputStream(extension))) { byte[] crldpExtOctets = ((DEROctetString) oAsnInStream.readObject()).getOctets(); try (ASN1InputStream oAsnInStream2 = new ASN1InputStream(new ByteArrayInputStream(crldpExtOctets))) { for (DistributionPoint dp : CRLDistPoint.getInstance(oAsnInStream2.readObject()) .getDistributionPoints()) { DistributionPointName name = dp.getDistributionPoint(); // look for URIs in fullName if (name != null && name.getType() == DistributionPointName.FULL_NAME) { GeneralName[] generalNames = GeneralNames.getInstance(name.getName()).getNames(); // look for an URI for (GeneralName generalName : generalNames) { if (generalName.getTagNo() == GeneralName.uniformResourceIdentifier) { String url = DERIA5String.getInstance(generalName.getName()).getString(); urls.add(url); } } } } return urls; } } }
From source file:org.ejbca.core.ejb.crl.PublishingCrlSessionTest.java
License:Open Source License
/** * Tests the extension CRL Distribution Point on CRLs *//* w ww. ja v a 2s . c o m*/ @Test public void testCRLDistPointOnCRL() throws Exception { final String cdpURL = "http://www.ejbca.org/foo/bar.crl"; X509CAInfo cainfo = (X509CAInfo) testx509ca.getCAInfo(); X509CRL x509crl; byte[] cdpDER; cainfo.setUseCrlDistributionPointOnCrl(true); cainfo.setDefaultCRLDistPoint(cdpURL); caSession.editCA(roleMgmgToken, cainfo); publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId()); x509crl = CertTools.getCRLfromByteArray(crlStoreSession.getLastCRL(cainfo.getSubjectDN(), false)); cdpDER = x509crl.getExtensionValue(Extension.issuingDistributionPoint.getId()); assertNotNull("CRL has no distribution points", cdpDER); ASN1InputStream aIn = new ASN1InputStream(new ByteArrayInputStream(cdpDER)); ASN1OctetString octs = (ASN1OctetString) aIn.readObject(); aIn = new ASN1InputStream(new ByteArrayInputStream(octs.getOctets())); IssuingDistributionPoint cdp = IssuingDistributionPoint.getInstance((ASN1Sequence) aIn.readObject()); DistributionPointName distpoint = cdp.getDistributionPoint(); assertEquals("CRL distribution point is different", cdpURL, ((DERIA5String) ((GeneralNames) distpoint.getName()).getNames()[0].getName()).getString()); cainfo.setUseCrlDistributionPointOnCrl(false); cainfo.setDefaultCRLDistPoint(""); caSession.editCA(roleMgmgToken, cainfo); publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId()); x509crl = CertTools.getCRLfromByteArray(crlStoreSession.getLastCRL(cainfo.getSubjectDN(), false)); assertNull("CRL has distribution points", x509crl.getExtensionValue(Extension.cRLDistributionPoints.getId())); }
From source file:org.icepdf.core.pobjects.acroform.signature.certificates.CRLVerifier.java
License:Apache License
/** * Extracts all CRL distribution point URLs from the "CRL Distribution Point" * extension in a X.509 certificate. If CRL distribution point extension is * unavailable, returns an empty list.// www.j av a2 s . com */ public static List<String> getCrlDistributionPoints(X509Certificate cert) throws CertificateParsingException, IOException { byte[] crldpExt = cert.getExtensionValue(Extension.cRLDistributionPoints.getId()); if (crldpExt == null) { return new ArrayList<String>(); } ASN1InputStream oAsnInStream = new ASN1InputStream(new ByteArrayInputStream(crldpExt)); ASN1Primitive derObjCrlDP = oAsnInStream.readObject(); DEROctetString dosCrlDP = (DEROctetString) derObjCrlDP; byte[] crldpExtOctets = dosCrlDP.getOctets(); ASN1InputStream oAsnInStream2 = new ASN1InputStream(new ByteArrayInputStream(crldpExtOctets)); ASN1Primitive derObj2 = oAsnInStream2.readObject(); CRLDistPoint distPoint = CRLDistPoint.getInstance(derObj2); List<String> crlUrls = new ArrayList<String>(); for (DistributionPoint dp : distPoint.getDistributionPoints()) { DistributionPointName dpn = dp.getDistributionPoint(); // Look for URIs in fullName if (dpn != null) { if (dpn.getType() == DistributionPointName.FULL_NAME) { GeneralName[] genNames = GeneralNames.getInstance(dpn.getName()).getNames(); // Look for an URI for (GeneralName genName : genNames) { if (genName.getTagNo() == GeneralName.uniformResourceIdentifier) { String url = DERIA5String.getInstance(genName.getName()).getString(); crlUrls.add(url); } } } } } return crlUrls; }
From source file:org.jscep.client.Client.java
License:Open Source License
private void checkDistributionPoints(final String profile) throws ClientException { CertStore store = getCaCertificate(profile); CertStoreInspector certs = inspectorFactory.getInstance(store); final X509Certificate ca = certs.getIssuer(); if (ca.getExtensionValue(Extension.cRLDistributionPoints.getId()) != null) { LOGGER.warn("CA supports distribution points"); }//from w w w .j ava2s . c o m }
From source file:org.metaeffekt.dcc.commons.pki.CertificateManager.java
License:Apache License
protected List<Extension> createExtensions(PublicKey publicKey, X509Certificate issuerCertificate) throws CertIOException, NoSuchAlgorithmException, IOException { List<Extension> extensions = new ArrayList<>(); String certType = getProperty(PROPERTY_CERT_TYPE, CERT_TYPE_TLS); // backward compatibility if (CERT_TYPE_CA_OLD.equals(certType)) { certType = CERT_TYPE_CA;//from w w w . j a v a 2 s . co m } // subject key identifier boolean criticalKeyIdentifier = getProperty(PROPERTY_CERT_CRITICAL_KEY_IDENTIFIER, false); extensions.add(new Extension(Extension.subjectKeyIdentifier, criticalKeyIdentifier, new JcaX509ExtensionUtils().createSubjectKeyIdentifier(publicKey).getEncoded())); // basic constraints if (CERT_TYPE_CA.equals(certType)) { boolean criticalCaConstraints = getProperty(PROPERTY_CERT_CRITICAL_CA, true); int chainLengthConstraint = getProperty(PROPERTY_CERT_CHAIN_LENGTH, 0); if (chainLengthConstraint > 0) { extensions.add(new Extension(Extension.basicConstraints, criticalCaConstraints, new BasicConstraints(chainLengthConstraint).getEncoded())); } else { extensions.add(new Extension(Extension.basicConstraints, criticalCaConstraints, new BasicConstraints(true).getEncoded())); } } // key usage int keyUsageInt = getKeyUsage(certType); if (keyUsageInt != 0) { // FIXME: test whether we can default to true here boolean criticalKeyUsage = getProperty(PROPERTY_CERT_CRITICAL_KEY_USAGE, false); KeyUsage keyUsage = new KeyUsage(keyUsageInt); extensions.add(new Extension(Extension.keyUsage, criticalKeyUsage, keyUsage.getEncoded())); } // extended key usage KeyPurposeId[] keyPurposeDefault = null; if (CERT_TYPE_TLS.equals(certType)) { // defaults for TLS keyPurposeDefault = new KeyPurposeId[] { KeyPurposeId.id_kp_clientAuth, KeyPurposeId.id_kp_serverAuth }; } boolean criticalKeyPurpose = getProperty(PROPERTY_CERT_CRITICAL_KEY_PURPOSE, false); KeyPurposeId[] keyPurpose = createKeyPurposeIds(keyPurposeDefault); if (keyPurpose != null) { extensions.add(new Extension(Extension.extendedKeyUsage, criticalKeyPurpose, new ExtendedKeyUsage(keyPurpose).getEncoded())); } // subjectAlternativeName List<ASN1Encodable> subjectAlternativeNames = extractAlternativeNames(PROPERTY_PREFIX_CERT_NAME); if (!subjectAlternativeNames.isEmpty()) { boolean criticalNames = getProperty(PROPERTY_CERT_CRITICAL_NAMES, false); DERSequence subjectAlternativeNamesExtension = new DERSequence( subjectAlternativeNames.toArray(new ASN1Encodable[subjectAlternativeNames.size()])); extensions.add(new Extension(Extension.subjectAlternativeName, criticalNames, subjectAlternativeNamesExtension.getEncoded())); } if (issuerCertificate == null) { // crl distribution point DistributionPoint[] crlDistributionPoints = createCrlDistributionPoints(); if (crlDistributionPoints != null) { boolean criticalCrlDistPoints = getProperty(PROPERTY_CERT_CRITICAL_CRL_DISTRIBUTION_POINTS, false); extensions.add(new Extension(Extension.cRLDistributionPoints, criticalCrlDistPoints, new CRLDistPoint(crlDistributionPoints).getEncoded())); } // authority information access AccessDescription[] accessDescriptions = createAccessDescriptions(); if (accessDescriptions != null) { boolean criticalAuthorityInformationAccess = getProperty( PROPERTY_CERT_CRITICAL_AUTHORITY_INFORMATION_ACCESS, false); extensions.add(new Extension(Extension.authorityInfoAccess, criticalAuthorityInformationAccess, new AuthorityInformationAccess(accessDescriptions).getEncoded())); } } else { copyExtension(Extension.cRLDistributionPoints, issuerCertificate, extensions); copyExtension(Extension.authorityInfoAccess, issuerCertificate, extensions); } return extensions; }
From source file:org.signserver.module.pdfsigner.org.ejbca.util.CertTools.java
License:Open Source License
/** * Return the CRL distribution point URL form a certificate. *//*from w w w . ja va2 s . co m*/ public static URL getCrlDistributionPoint(Certificate certificate) throws CertificateParsingException { if (certificate instanceof X509Certificate) { X509Certificate x509cert = (X509Certificate) certificate; try { ASN1Object obj = getExtensionValue(x509cert, Extension.cRLDistributionPoints); if (obj == null) { return null; } ASN1Sequence distributionPoints = (ASN1Sequence) obj; for (int i = 0; i < distributionPoints.size(); i++) { ASN1Sequence distrPoint = (ASN1Sequence) distributionPoints.getObjectAt(i); for (int j = 0; j < distrPoint.size(); j++) { ASN1TaggedObject tagged = (ASN1TaggedObject) distrPoint.getObjectAt(j); if (tagged.getTagNo() == 0) { String url = getUriFromGeneralNames(tagged.getObject()); if (url != null) { return new URL(url); } } } } } catch (Exception e) { log.error("Error parsing CrlDistributionPoint", e); throw new CertificateParsingException(e.toString(), e); } } return null; }
From source file:org.signserver.test.utils.builders.CertBuilder.java
License:Open Source License
/** * Shorthand for adding an CRL distribution point with an URI. * @param uri The URI//from w w w . j ava2 s . c om * @return this object */ public CertBuilder addCDPURI(final String uri) { final GeneralName gn = new GeneralName(GeneralName.uniformResourceIdentifier, uri); final DistributionPointName dpn = new DistributionPointName(DistributionPointName.FULL_NAME, gn); final ASN1Encodable extension = new CRLDistPoint( new DistributionPoint[] { new DistributionPoint(dpn, null, null) }); //new GeneralNames(new GeneralName(getIssuer())))}); addExtension(new CertExt(Extension.cRLDistributionPoints, false, extension)); return this; }
From source file:org.usrz.libs.crypto.cert.X509CertificateBuilder.java
License:Apache License
/** * Build the final {@link X509Certificate} instance. *//* ww w. j a v a 2s. c o m*/ public X509Certificate build() { if (subject == null) throw new IllegalStateException("Subject not specified"); if (issuer == null) throw new IllegalStateException("Issuer not specified"); if (serial == null) throw new IllegalStateException("Serial not specified"); if (!notAfter.after(notBefore)) throw new IllegalStateException("Date \"not-after\" before or equal to \"not-before\""); if (issuerPrivateKey == null) throw new IllegalStateException("Issuer private key not specified"); if (subjectPublicKey == null) throw new IllegalStateException("Sobject public key not specified"); /* Standard subject public key and X500 names */ final SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo .getInstance(subjectPublicKey.getEncoded()); final X500Name subjectName = X500Name.getInstance(subject.getEncoded()); final X500Name issuerName = X500Name.getInstance(issuer.getEncoded()); /* Derive the issuer public key from the private one if needed/possible */ if ((issuerPublicKey == null) && (issuerPrivateKey instanceof RSAPrivateCrtKey)) try { final RSAPrivateCrtKey key = (RSAPrivateCrtKey) issuerPrivateKey; final RSAPublicKeySpec spec = new RSAPublicKeySpec(key.getModulus(), key.getPublicExponent()); issuerPublicKey = KeyFactory.getInstance("RSA").generatePublic(spec); } catch (InvalidKeySpecException | NoSuchAlgorithmException exception) { Logger.getLogger(this.getClass().getName()).log(Level.FINE, "Unable to generate public key from private", exception); } final X509v3CertificateBuilder certificateBuilder = new X509v3CertificateBuilder(issuerName, serial, notBefore, notAfter, subjectName, subjectPublicKeyInfo); try { final JcaX509ExtensionUtils utils = new JcaX509ExtensionUtils(); /* Are we a certificate authority? */ certificateBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(Mode.AUTHORITY.equals(mode))); /* Add our subject key identifier */ certificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, utils.createSubjectKeyIdentifier(subjectPublicKeyInfo)); /* Do we have Standard key usages? */ if (!standardKeyUsage.isEmpty()) certificateBuilder.addExtension(Extension.keyUsage, false, new KeyUsage(StandardKeyUsage.combine(standardKeyUsage))); /* Do we have extended key usages? */ if (!extendedKeyUsage.isEmpty()) certificateBuilder.addExtension(Extension.extendedKeyUsage, false, ExtendedKeyUsage.combine(extendedKeyUsage)); /* Add our authority key identifer */ if (issuerPublicKey != null) { final SubjectPublicKeyInfo authorityPublicKeyInfo = SubjectPublicKeyInfo .getInstance(issuerPublicKey.getEncoded()); certificateBuilder.addExtension(Extension.authorityKeyIdentifier, false, utils.createAuthorityKeyIdentifier(authorityPublicKeyInfo)); } /* Add our alternative names */ if (!alternativeNames.isEmpty()) { final GeneralName[] names = alternativeNames.toArray(new GeneralName[alternativeNames.size()]); certificateBuilder.addExtension(Extension.subjectAlternativeName, false, new GeneralNames(names)); } /* Add CRL distribution points */ if (!crlDistributionPoints.isEmpty()) { final DistributionPoint[] distributionPoints = new DistributionPoint[crlDistributionPoints.size()]; int position = 0; for (GeneralName generalName : crlDistributionPoints) { final DistributionPointName distributionPointName = new DistributionPointName( new GeneralNames(generalName)); distributionPoints[position++] = new DistributionPoint(distributionPointName, null, null); } final CRLDistPoint crlDistributionPoint = new CRLDistPoint(distributionPoints); certificateBuilder.addExtension(Extension.cRLDistributionPoints, false, crlDistributionPoint); } } catch (CertIOException | NoSuchAlgorithmException exception) { throw new IllegalStateException("Exception adding extensions", exception); } try { final CertificateFactory factory = CertificateFactory.getInstance("X.509"); final String signatureAlgorithm = CryptoUtils.getSignatureAlgorithm(issuerPrivateKey, hash); final ContentSigner signer = new JcaContentSignerBuilder(signatureAlgorithm).build(issuerPrivateKey); final X509CertificateHolder certificateHolder = certificateBuilder.build(signer); return (X509Certificate) factory .generateCertificate(new ByteArrayInputStream(certificateHolder.getEncoded())); } catch (OperatorCreationException exception) { throw new IllegalStateException("Unable to create certificate signature", exception); } catch (IOException exception) { throw new IllegalStateException("Unable to generate certificate data", exception); } catch (CertificateException exception) { throw new IllegalStateException("Unable to generate certificate", exception); } }