List of usage examples for org.bouncycastle.asn1.x509 Extension invalidityDate
ASN1ObjectIdentifier invalidityDate
To view the source code for org.bouncycastle.asn1.x509 Extension invalidityDate.
Click Source Link
From source file:net.sf.portecle.crypto.X509Ext.java
License:Open Source License
/** * Get extension value as a string.//from w w w. java2 s . c o m * * @return Extension value as a string * @throws IOException If an I/O problem occurs * @throws ParseException If a date formatting problem occurs */ public String getStringValue() throws IOException, ParseException { // Get octet string from extension byte[] bOctets = ((ASN1OctetString) ASN1Primitive.fromByteArray(m_bValue)).getOctets(); // Octet string processed differently depending on extension type if (m_Oid.equals(X509ObjectIdentifiers.commonName)) { return getCommonNameStringValue(bOctets); } else if (m_Oid.equals(Extension.subjectKeyIdentifier)) { return getSubjectKeyIdentifierStringValue(bOctets); } else if (m_Oid.equals(Extension.keyUsage)) { return getKeyUsageStringValue(bOctets); } else if (m_Oid.equals(Extension.privateKeyUsagePeriod)) { return getPrivateKeyUsagePeriod(bOctets); } else if (m_Oid.equals(Extension.issuerAlternativeName) || m_Oid.equals(Extension.subjectAlternativeName)) { return getAlternativeName(bOctets); } else if (m_Oid.equals(Extension.basicConstraints)) { return getBasicConstraintsStringValue(bOctets); } else if (m_Oid.equals(Extension.cRLNumber)) { return getCrlNumberStringValue(bOctets); } else if (m_Oid.equals(Extension.reasonCode)) { return getReasonCodeStringValue(bOctets); } else if (m_Oid.equals(Extension.instructionCode)) { return getHoldInstructionCodeStringValue(bOctets); } else if (m_Oid.equals(Extension.invalidityDate)) { return getInvalidityDateStringValue(bOctets); } else if (m_Oid.equals(Extension.deltaCRLIndicator)) { return getDeltaCrlIndicatorStringValue(bOctets); } else if (m_Oid.equals(Extension.certificateIssuer)) { return getCertificateIssuerStringValue(bOctets); } else if (m_Oid.equals(Extension.policyMappings)) { return getPolicyMappingsStringValue(bOctets); } else if (m_Oid.equals(Extension.authorityKeyIdentifier)) { return getAuthorityKeyIdentifierStringValue(bOctets); } else if (m_Oid.equals(Extension.policyConstraints)) { return getPolicyConstraintsStringValue(bOctets); } else if (m_Oid.equals(Extension.extendedKeyUsage)) { return getExtendedKeyUsageStringValue(bOctets); } else if (m_Oid.equals(Extension.inhibitAnyPolicy)) { return getInhibitAnyPolicyStringValue(bOctets); } else if (m_Oid.equals(MiscObjectIdentifiers.entrustVersionExtension)) { return getEntrustVersionExtensionStringValue(bOctets); } else if (m_Oid.equals(PKCSObjectIdentifiers.pkcs_9_at_smimeCapabilities)) { return getSmimeCapabilitiesStringValue(bOctets); } else if (m_Oid.equals(MicrosoftObjectIdentifiers.microsoftCaVersion)) { return getMicrosoftCAVersionStringValue(bOctets); } else if (m_Oid.equals(MicrosoftObjectIdentifiers.microsoftPrevCaCertHash)) { return getMicrosoftPreviousCACertificateHashStringValue(bOctets); } else if (m_Oid.equals(MicrosoftObjectIdentifiers.microsoftCertTemplateV2)) { return getMicrosoftCertificateTemplateV2StringValue(bOctets); } else if (m_Oid.equals(MicrosoftObjectIdentifiers.microsoftAppPolicies)) { return getUnknownOidStringValue(bOctets); // TODO } // TODO: https://github.com/bcgit/bc-java/pull/92 else if (m_Oid.toString().equals("1.3.6.1.4.1.311.21.4")) { return getMicrosoftCrlNextPublish(bOctets); } else if (m_Oid.equals(Extension.authorityInfoAccess) || m_Oid.equals(Extension.subjectInfoAccess)) { return getInformationAccessStringValue(bOctets); } else if (m_Oid.equals(Extension.logoType)) { return getLogotypeStringValue(bOctets); } else if (m_Oid.equals(MiscObjectIdentifiers.novellSecurityAttribs)) { return getNovellSecurityAttributesStringValue(bOctets); } else if (m_Oid.equals(MiscObjectIdentifiers.netscapeCertType)) { return getNetscapeCertificateTypeStringValue(bOctets); } else if (m_Oid.equals(MiscObjectIdentifiers.netscapeSSLServerName) || m_Oid.equals(MiscObjectIdentifiers.netscapeCertComment) || m_Oid.equals(MiscObjectIdentifiers.verisignDnbDunsNumber) || m_Oid.equals(MicrosoftObjectIdentifiers.microsoftCertTemplateV1)) { return getASN1ObjectString(bOctets); } else if (m_Oid.equals(MiscObjectIdentifiers.netscapeCApolicyURL)) { return getNetscapeExtensionURLValue(bOctets, LinkClass.BROWSER); } else if (m_Oid.equals(MiscObjectIdentifiers.netscapeBaseURL) || m_Oid.equals(MiscObjectIdentifiers.netscapeRenewalURL) || m_Oid.equals(MiscObjectIdentifiers.netscapeRevocationURL) || m_Oid.equals(MiscObjectIdentifiers.netscapeCARevocationURL)) { return getNetscapeExtensionURLValue(bOctets, LinkClass.CRL); } else if (m_Oid.equals(Extension.cRLDistributionPoints)) { return getCrlDistributionPointsStringValue(bOctets); } else if (m_Oid.equals(Extension.certificatePolicies)) { return getCertificatePoliciesStringValue(bOctets); } // TODO: // - CERTIFICATE_POLICIES_OLD_OID // - AUTHORITY_KEY_IDENTIFIER_OLD_OID // - BASIC_CONSTRAINTS_OLD_0_OID // Don't know how to process the extension // and clear text else { return getUnknownOidStringValue(bOctets); } }
From source file:org.cryptable.pki.communication.PKICMPMessages.java
License:Open Source License
/** * Revoke a certificate/*from w ww.j a va 2 s . c o m*/ * */ public byte[] createRevocationMessage(RevocationInput[] revocationInputs) throws CertificateEncodingException, CMSException, CRMFException, OperatorCreationException, CMPException, IOException, PKICMPMessageException, NoSuchFieldException, IllegalAccessException { List<RevDetails> revDetailsList = new ArrayList<RevDetails>(revocationInputs.length); for (RevocationInput revocationInput : revocationInputs) { List<Extension> extensions = new ArrayList<Extension>(); X509CertificateHolder x509CertificateHolder = new JcaX509CertificateHolder( revocationInput.getX509Certificate()); CertTemplateBuilder certTemplateBuilder = new CertTemplateBuilder(); // Template to fill in certTemplateBuilder.setSubject(x509CertificateHolder.getSubject()) .setIssuer(x509CertificateHolder.getIssuer()) .setSerialNumber(new ASN1Integer(x509CertificateHolder.getSerialNumber())) .setPublicKey(x509CertificateHolder.getSubjectPublicKeyInfo()); // Optional Revocation Extensions if (revocationInput.getReasonCode() != -1) { extensions.add(new Extension(Extension.reasonCode, false, new ReasonFlags(revocationInput.getReasonCode()).getEncoded())); } if (revocationInput.getInvalidityDate() != null) { extensions.add(new Extension(Extension.invalidityDate, false, new Time(revocationInput.getInvalidityDate()).getEncoded())); } if (extensions.size() == 0) { revDetailsList.add(new RevDetails(certTemplateBuilder.build())); } else { revDetailsList.add(new RevDetails(certTemplateBuilder.build(), new Extensions(extensions.toArray(new Extension[extensions.size()])))); } } RevReqContent revReqContent = new RevReqContent( revDetailsList.toArray(new RevDetails[revDetailsList.size()])); return createProtectedPKIMessage(new PKIBody(PKIBody.TYPE_REVOCATION_REQ, revReqContent)); }
From source file:org.cryptable.pki.communication.PKICMPMessagesTest.java
License:Open Source License
/** * Test the confirmation message from the certification authority * * @throws IOException/*ww w . j av a2s . c om*/ * @throws CertificateEncodingException * @throws OperatorCreationException * @throws CMPException */ @Test public void testRevocationMessageWithExtensions() throws IOException, CertificateEncodingException, OperatorCreationException, CMPException, PKICMPMessageException, CRMFException, IllegalAccessException, CMSException, NoSuchFieldException { PKICMPMessages pkiMessages = new PKICMPMessages(); pkiMessages.setPkiKeyStore(pkiKeyStoreRA); List<RevocationInput> revocationInputs = new ArrayList<RevocationInput>(2); Date invalidityDate = new Date(System.currentTimeMillis() - 500L * 60 * 60 * 24 * 30); revocationInputs.add(new RevocationInput(pki.getTestUser1Cert(), RevocationInput.aACompromise)); revocationInputs .add(new RevocationInput(pki.getTestUser2Cert(), RevocationInput.noReasonCode, invalidityDate)); byte[] result = pkiMessages .createRevocationMessage(revocationInputs.toArray(new RevocationInput[revocationInputs.size()])); ASN1InputStream asn1InputStream = new ASN1InputStream(result); ASN1Primitive asn1Primitive = asn1InputStream.readObject(); PKIMessage pkiMessage = PKIMessage.getInstance(asn1Primitive); // Check the Body Assert.assertEquals(PKIBody.TYPE_REVOCATION_REQ, pkiMessage.getBody().getType()); RevDetails[] revDetailses = RevReqContent.getInstance(pkiMessage.getBody().getContent()) .toRevDetailsArray(); Assert.assertEquals(pki.getTestUser1Cert().getIssuerDN().getName().toString(), revDetailses[0].getCertDetails().getIssuer().toString()); Assert.assertEquals(pki.getTestUser1Cert().getSerialNumber(), revDetailses[0].getCertDetails().getSerialNumber().getValue()); Assert.assertEquals(pki.getTestUser1Cert().getSubjectDN().getName().toString(), revDetailses[0].getCertDetails().getSubject().toString()); Assert.assertArrayEquals(pki.getTestUser1Cert().getPublicKey().getEncoded(), revDetailses[0].getCertDetails().getPublicKey().getEncoded()); Assert.assertNotNull(revDetailses[0].getCrlEntryDetails()); Assert.assertNull(revDetailses[0].getCrlEntryDetails().getExtensionParsedValue(Extension.invalidityDate)); ReasonFlags reasonFlags = new ReasonFlags(ReasonFlags .getInstance(revDetailses[0].getCrlEntryDetails().getExtensionParsedValue(Extension.reasonCode))); Assert.assertEquals(RevocationInput.aACompromise, reasonFlags.intValue()); Assert.assertEquals(pki.getTestUser2Cert().getIssuerDN().getName().toString(), revDetailses[1].getCertDetails().getIssuer().toString()); Assert.assertEquals(pki.getTestUser2Cert().getSerialNumber(), revDetailses[1].getCertDetails().getSerialNumber().getValue()); Assert.assertEquals(pki.getTestUser2Cert().getSubjectDN().getName().toString(), revDetailses[1].getCertDetails().getSubject().toString()); Assert.assertArrayEquals(pki.getTestUser2Cert().getPublicKey().getEncoded(), revDetailses[1].getCertDetails().getPublicKey().getEncoded()); Assert.assertNotNull(revDetailses[1].getCrlEntryDetails()); Assert.assertNull(revDetailses[1].getCrlEntryDetails().getExtensionParsedValue(Extension.reasonCode)); Time tmp = new Time(revDetailses[1].getCrlEntryDetails().getExtensionParsedValue(Extension.invalidityDate) .toASN1Primitive()); Assert.assertEquals(invalidityDate.toString(), tmp.getDate().toString()); }
From source file:org.xipki.ca.client.impl.X509CmpRequestor.java
License:Open Source License
private PKIMessage buildRevokeCertRequest(final RevokeCertRequestType request) throws CmpRequestorException { PKIHeader header = buildPKIHeader(null); List<RevokeCertRequestEntryType> requestEntries = request.getRequestEntries(); List<RevDetails> revDetailsArray = new ArrayList<>(requestEntries.size()); for (RevokeCertRequestEntryType requestEntry : requestEntries) { CertTemplateBuilder certTempBuilder = new CertTemplateBuilder(); certTempBuilder.setIssuer(requestEntry.getIssuer()); certTempBuilder.setSerialNumber(new ASN1Integer(requestEntry.getSerialNumber())); Date invalidityDate = requestEntry.getInvalidityDate(); Extension[] extensions = new Extension[invalidityDate == null ? 1 : 2]; try {//from w w w .j av a 2s . c o m ASN1Enumerated reason = new ASN1Enumerated(requestEntry.getReason()); extensions[0] = new Extension(Extension.reasonCode, true, new DEROctetString(reason.getEncoded())); if (invalidityDate != null) { ASN1GeneralizedTime time = new ASN1GeneralizedTime(invalidityDate); extensions[1] = new Extension(Extension.invalidityDate, true, new DEROctetString(time.getEncoded())); } } catch (IOException e) { throw new CmpRequestorException(e.getMessage(), e); } Extensions exts = new Extensions(extensions); RevDetails revDetails = new RevDetails(certTempBuilder.build(), exts); revDetailsArray.add(revDetails); } RevReqContent content = new RevReqContent(revDetailsArray.toArray(new RevDetails[0])); PKIBody body = new PKIBody(PKIBody.TYPE_REVOCATION_REQ, content); return new PKIMessage(header, body); }
From source file:org.xipki.ca.server.impl.X509CA.java
License:Open Source License
private static Extension createInvalidityDateExtension(final Date invalidityDate) { try {/*from w ww .jav a 2s .c om*/ ASN1GeneralizedTime asnTime = new ASN1GeneralizedTime(invalidityDate); return new Extension(Extension.invalidityDate, false, asnTime.getEncoded()); } catch (IOException e) { throw new IllegalArgumentException("error encoding reason: " + e.getMessage(), e); } }
From source file:org.xipki.ca.server.impl.X509CACmpResponder.java
License:Open Source License
private PKIBody revokeOrUnrevokeOrRemoveCertificates(final RevReqContent rr, final AuditEvent auditEvent, final Permission permission) { RevDetails[] revContent = rr.toRevDetailsArray(); RevRepContentBuilder repContentBuilder = new RevRepContentBuilder(); final int n = revContent.length; // test the reques for (int i = 0; i < n; i++) { RevDetails revDetails = revContent[i]; CertTemplate certDetails = revDetails.getCertDetails(); X500Name issuer = certDetails.getIssuer(); ASN1Integer serialNumber = certDetails.getSerialNumber(); try {//from w w w . j a va2 s.com X500Name caSubject = getCA().getCAInfo().getCertificate().getSubjectAsX500Name(); if (issuer == null) { return createErrorMsgPKIBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer is not present"); } else if (issuer.equals(caSubject) == false) { return createErrorMsgPKIBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "issuer not targets at the CA"); } else if (serialNumber == null) { return createErrorMsgPKIBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "serialNumber is not present"); } else if (certDetails.getSigningAlg() != null || certDetails.getValidity() != null || certDetails.getSubject() != null || certDetails.getPublicKey() != null || certDetails.getIssuerUID() != null || certDetails.getSubjectUID() != null || certDetails.getExtensions() != null) { return createErrorMsgPKIBody(PKIStatus.rejection, PKIFailureInfo.badCertTemplate, "only version, issuer and serialNumber in RevDetails.certDetails are allowed, " + "but more is specified"); } } catch (IllegalArgumentException e) { return createErrorMsgPKIBody(PKIStatus.rejection, PKIFailureInfo.badRequest, "the request is not invalid"); } } for (int i = 0; i < n; i++) { AuditChildEvent childAuditEvent = null; if (auditEvent != null) { childAuditEvent = new AuditChildEvent(); auditEvent.addChildAuditEvent(childAuditEvent); } RevDetails revDetails = revContent[i]; CertTemplate certDetails = revDetails.getCertDetails(); ASN1Integer serialNumber = certDetails.getSerialNumber(); // serialNumber is not null due to the check in the previous for-block. X500Name caSubject = getCA().getCAInfo().getCertificate().getSubjectAsX500Name(); BigInteger snBigInt = serialNumber.getPositiveValue(); CertId certId = new CertId(new GeneralName(caSubject), serialNumber); if (childAuditEvent != null) { AuditEventData eventData = new AuditEventData("serialNumber", snBigInt.toString()); childAuditEvent.addEventData(eventData); } PKIStatusInfo status; try { Object returnedObj = null; X509CA ca = getCA(); if (Permission.UNREVOKE_CERT == permission) { // unrevoke returnedObj = ca.unrevokeCertificate(snBigInt); } else if (Permission.REMOVE_CERT == permission) { // remove returnedObj = ca.removeCertificate(snBigInt); } else { // revoke Date invalidityDate = null; CRLReason reason = null; Extensions crlDetails = revDetails.getCrlEntryDetails(); if (crlDetails != null) { ASN1ObjectIdentifier extId = Extension.reasonCode; ASN1Encodable extValue = crlDetails.getExtensionParsedValue(extId); if (extValue != null) { int reasonCode = ((ASN1Enumerated) extValue).getValue().intValue(); reason = CRLReason.forReasonCode(reasonCode); } extId = Extension.invalidityDate; extValue = crlDetails.getExtensionParsedValue(extId); if (extValue != null) { try { invalidityDate = ((ASN1GeneralizedTime) extValue).getDate(); } catch (ParseException e) { throw new OperationException(ErrorCode.INVALID_EXTENSION, "invalid extension " + extId.getId()); } } } // end if(crlDetails) if (reason == null) { reason = CRLReason.UNSPECIFIED; } if (childAuditEvent != null) { childAuditEvent.addEventData(new AuditEventData("reason", reason.getDescription())); if (invalidityDate != null) { String value; synchronized (dateFormat) { value = dateFormat.format(invalidityDate); } childAuditEvent.addEventData(new AuditEventData("invalidityDate", value)); } } returnedObj = ca.revokeCertificate(snBigInt, reason, invalidityDate); } // end if(permission) if (returnedObj == null) { throw new OperationException(ErrorCode.UNKNOWN_CERT, "cert not exists"); } status = new PKIStatusInfo(PKIStatus.granted); if (childAuditEvent != null) { childAuditEvent.setStatus(AuditStatus.SUCCESSFUL); } } catch (OperationException e) { ErrorCode code = e.getErrorCode(); LOG.warn("{} certificate, OperationException: code={}, message={}", new Object[] { permission.name(), code.name(), e.getErrorMessage() }); String auditMessage; int failureInfo; switch (code) { case BAD_REQUEST: failureInfo = PKIFailureInfo.badRequest; auditMessage = "BAD_REQUEST"; break; case CERT_REVOKED: failureInfo = PKIFailureInfo.certRevoked; auditMessage = "CERT_REVOKED"; break; case CERT_UNREVOKED: failureInfo = PKIFailureInfo.notAuthorized; auditMessage = "CERT_UNREVOKED"; break; case DATABASE_FAILURE: failureInfo = PKIFailureInfo.systemFailure; auditMessage = "DATABASE_FAILURE"; break; case INVALID_EXTENSION: failureInfo = PKIFailureInfo.unacceptedExtension; auditMessage = "INVALID_EXTENSION"; break; case INSUFFICIENT_PERMISSION: failureInfo = PKIFailureInfo.notAuthorized; auditMessage = "INSUFFICIENT_PERMISSION"; break; case NOT_PERMITTED: failureInfo = PKIFailureInfo.notAuthorized; auditMessage = "NOT_PERMITTED"; break; case SYSTEM_FAILURE: failureInfo = PKIFailureInfo.systemFailure; auditMessage = "System_Failure"; break; case SYSTEM_UNAVAILABLE: failureInfo = PKIFailureInfo.systemUnavail; auditMessage = "System_Unavailable"; break; case UNKNOWN_CERT: failureInfo = PKIFailureInfo.badCertId; auditMessage = "UNKNOWN_CERT"; break; default: failureInfo = PKIFailureInfo.systemFailure; auditMessage = "InternalErrorCode " + e.getErrorCode(); break; } // end switch(code) if (childAuditEvent != null) { childAuditEvent.setStatus(AuditStatus.FAILED); childAuditEvent.addEventData(new AuditEventData("message", auditMessage)); } String errorMessage; switch (code) { case DATABASE_FAILURE: case SYSTEM_FAILURE: errorMessage = code.name(); break; default: errorMessage = code.name() + ": " + e.getErrorMessage(); break; } // end switch(code) status = generateCmpRejectionStatus(failureInfo, errorMessage); } // end try repContentBuilder.add(status, certId); } // end for return new PKIBody(PKIBody.TYPE_REVOCATION_REP, repContentBuilder.build()); }
From source file:org.xipki.commons.console.karaf.completer.ExtensionNameCompleter.java
License:Open Source License
public ExtensionNameCompleter() { List<ASN1ObjectIdentifier> oids = new LinkedList<>(); oids.add(ObjectIdentifiers.id_extension_pkix_ocsp_nocheck); oids.add(ObjectIdentifiers.id_extension_admission); oids.add(Extension.auditIdentity); oids.add(Extension.authorityInfoAccess); oids.add(Extension.authorityKeyIdentifier); oids.add(Extension.basicConstraints); oids.add(Extension.biometricInfo); oids.add(Extension.certificateIssuer); oids.add(Extension.certificatePolicies); oids.add(Extension.cRLDistributionPoints); oids.add(Extension.cRLNumber); oids.add(Extension.deltaCRLIndicator); oids.add(Extension.extendedKeyUsage); oids.add(Extension.freshestCRL); oids.add(Extension.inhibitAnyPolicy); oids.add(Extension.instructionCode); oids.add(Extension.invalidityDate); oids.add(Extension.issuerAlternativeName); oids.add(Extension.issuingDistributionPoint); oids.add(Extension.keyUsage); oids.add(Extension.logoType); oids.add(Extension.nameConstraints); oids.add(Extension.noRevAvail); oids.add(Extension.policyConstraints); oids.add(Extension.policyMappings); oids.add(Extension.privateKeyUsagePeriod); oids.add(Extension.qCStatements); oids.add(Extension.reasonCode); oids.add(Extension.subjectAlternativeName); oids.add(Extension.subjectDirectoryAttributes); oids.add(Extension.subjectInfoAccess); oids.add(Extension.subjectKeyIdentifier); oids.add(Extension.targetInformation); oids.add(ObjectIdentifiers.id_pe_tlsfeature); StringBuilder enums = new StringBuilder(); for (ASN1ObjectIdentifier oid : oids) { String name = ObjectIdentifiers.getName(oid); if (StringUtil.isBlank(name)) { name = oid.getId();/* w w w .j a va 2 s . c om*/ } enums.append(name).append(","); } enums.deleteCharAt(enums.length() - 1); setTokens(enums.toString()); }
From source file:org.xipki.console.karaf.impl.completer.ExtensionNameCompleterImpl.java
License:Open Source License
public ExtensionNameCompleterImpl() { List<ASN1ObjectIdentifier> oids = new LinkedList<>(); oids.add(ObjectIdentifiers.id_extension_pkix_ocsp_nocheck); oids.add(ObjectIdentifiers.id_extension_admission); oids.add(Extension.auditIdentity); oids.add(Extension.authorityInfoAccess); oids.add(Extension.authorityKeyIdentifier); oids.add(Extension.basicConstraints); oids.add(Extension.biometricInfo); oids.add(Extension.certificateIssuer); oids.add(Extension.certificatePolicies); oids.add(Extension.cRLDistributionPoints); oids.add(Extension.cRLNumber); oids.add(Extension.deltaCRLIndicator); oids.add(Extension.extendedKeyUsage); oids.add(Extension.freshestCRL); oids.add(Extension.inhibitAnyPolicy); oids.add(Extension.instructionCode); oids.add(Extension.invalidityDate); oids.add(Extension.issuerAlternativeName); oids.add(Extension.issuingDistributionPoint); oids.add(Extension.keyUsage); oids.add(Extension.logoType); oids.add(Extension.nameConstraints); oids.add(Extension.noRevAvail); oids.add(Extension.policyConstraints); oids.add(Extension.policyMappings); oids.add(Extension.privateKeyUsagePeriod); oids.add(Extension.qCStatements); oids.add(Extension.reasonCode); oids.add(Extension.subjectAlternativeName); oids.add(Extension.subjectDirectoryAttributes); oids.add(Extension.subjectInfoAccess); oids.add(Extension.subjectKeyIdentifier); oids.add(Extension.targetInformation); StringBuilder enums = new StringBuilder(); for (ASN1ObjectIdentifier oid : oids) { String name = ObjectIdentifiers.getName(oid); if (StringUtil.isBlank(name)) { name = oid.getId();/* w ww . j av a 2 s. c o m*/ } enums.append(name).append(","); } enums.deleteCharAt(enums.length() - 1); setTokens(enums.toString()); }
From source file:org.xipki.ocsp.client.shell.OCSPStatusCommand.java
License:Open Source License
@Override protected Object processResponse(final OCSPResp response, final X509Certificate respIssuer, final X509Certificate issuer, final List<BigInteger> serialNumbers, final Map<BigInteger, byte[]> encodedCerts) throws Exception { BasicOCSPResp basicResp = OCSPUtils.extractBasicOCSPResp(response); boolean extendedRevoke = basicResp.getExtension(OCSPRequestor.id_pkix_ocsp_extendedRevoke) != null; SingleResp[] singleResponses = basicResp.getResponses(); int n = singleResponses == null ? 0 : singleResponses.length; if (n == 0) { throw new CmdFailure("received no status from server"); }/*from w w w .j a va 2 s . co m*/ if (n != serialNumbers.size()) { throw new CmdFailure("received status with " + n + " single responses from server, but " + serialNumbers.size() + " were requested"); } Date[] thisUpdates = new Date[n]; for (int i = 0; i < n; i++) { thisUpdates[i] = singleResponses[i].getThisUpdate(); } // check the signature if available if (null == basicResp.getSignature()) { out("response is not signed"); } else { X509CertificateHolder[] responderCerts = basicResp.getCerts(); if (responderCerts == null || responderCerts.length < 1) { throw new CmdFailure("no responder certificate is contained in the response"); } X509CertificateHolder respSigner = responderCerts[0]; boolean validOn = true; for (Date thisUpdate : thisUpdates) { validOn = respSigner.isValidOn(thisUpdate); if (validOn == false) { throw new CmdFailure("responder certificate is not valid on " + thisUpdate); } } if (validOn) { PublicKey responderPubKey = KeyUtil.generatePublicKey(respSigner.getSubjectPublicKeyInfo()); ContentVerifierProvider cvp = KeyUtil.getContentVerifierProvider(responderPubKey); boolean sigValid = basicResp.isSignatureValid(cvp); if (sigValid == false) { throw new CmdFailure("response is equipped with invalid signature"); } // verify the OCSPResponse signer if (respIssuer != null) { boolean certValid = true; X509Certificate jceRespSigner = new X509CertificateObject(respSigner.toASN1Structure()); if (X509Util.issues(respIssuer, jceRespSigner)) { try { jceRespSigner.verify(respIssuer.getPublicKey()); } catch (SignatureException e) { certValid = false; } } if (certValid == false) { throw new CmdFailure( "response is equipped with valid signature but the OCSP signer is not trusted"); } } else { out("response is equipped with valid signature"); } } if (verbose.booleanValue()) { out("responder is " + X509Util.getRFC4519Name(responderCerts[0].getSubject())); } } for (int i = 0; i < n; i++) { if (n > 1) { out("---------------------------- " + i + " ----------------------------"); } SingleResp singleResp = singleResponses[i]; BigInteger serialNumber = singleResp.getCertID().getSerialNumber(); CertificateStatus singleCertStatus = singleResp.getCertStatus(); String status; if (singleCertStatus == null) { status = "good"; } else if (singleCertStatus instanceof RevokedStatus) { RevokedStatus revStatus = (RevokedStatus) singleCertStatus; Date revTime = revStatus.getRevocationTime(); Date invTime = null; Extension ext = singleResp.getExtension(Extension.invalidityDate); if (ext != null) { invTime = ASN1GeneralizedTime.getInstance(ext.getParsedValue()).getDate(); } if (revStatus.hasRevocationReason()) { int reason = revStatus.getRevocationReason(); if (extendedRevoke && reason == CRLReason.CERTIFICATE_HOLD.getCode() && revTime.getTime() == 0) { status = "unknown (RFC6960)"; } else { StringBuilder sb = new StringBuilder("revoked, reason = "); sb.append(CRLReason.forReasonCode(reason).getDescription()); sb.append(", revocationTime = "); sb.append(revTime); if (invTime != null) { sb.append(", invalidityTime = "); sb.append(invTime); } status = sb.toString(); } } else { status = "revoked, no reason, revocationTime = " + revTime; } } else if (singleCertStatus instanceof UnknownStatus) { status = "unknown (RFC2560)"; } else { status = "ERROR"; } StringBuilder msg = new StringBuilder(); msg.append("serialNumber: ").append(serialNumber); msg.append("\nCertificate status: ").append(status); if (verbose.booleanValue()) { msg.append("\nthisUpdate: " + singleResp.getThisUpdate()); msg.append("\nnextUpdate: " + singleResp.getNextUpdate()); Extension extension = singleResp.getExtension(ISISMTTObjectIdentifiers.id_isismtt_at_certHash); if (extension != null) { msg.append("\nCertHash is provided:\n"); ASN1Encodable extensionValue = extension.getParsedValue(); CertHash certHash = CertHash.getInstance(extensionValue); ASN1ObjectIdentifier hashAlgOid = certHash.getHashAlgorithm().getAlgorithm(); byte[] hashValue = certHash.getCertificateHash(); msg.append("\tHash algo : ").append(hashAlgOid.getId()).append("\n"); msg.append("\tHash value: ").append(Hex.toHexString(hashValue)).append("\n"); if (encodedCerts != null) { byte[] encodedCert = encodedCerts.get(serialNumber); MessageDigest md = MessageDigest.getInstance(hashAlgOid.getId()); byte[] expectedHashValue = md.digest(encodedCert); if (Arrays.equals(expectedHashValue, hashValue)) { msg.append("\tThis matches the requested certificate"); } else { msg.append("\tThis differs from the requested certificate"); } } } extension = singleResp.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_archive_cutoff); if (extension != null) { ASN1Encodable extensionValue = extension.getParsedValue(); ASN1GeneralizedTime time = ASN1GeneralizedTime.getInstance(extensionValue); msg.append("\nArchive-CutOff: "); msg.append(time.getTimeString()); } AlgorithmIdentifier sigAlg = basicResp.getSignatureAlgorithmID(); if (sigAlg == null) { msg.append(("\nresponse is not signed")); } else { String sigAlgName = AlgorithmUtil.getSignatureAlgoName(sigAlg); if (sigAlgName == null) { sigAlgName = "unknown"; } msg.append("\nresponse is signed with ").append(sigAlgName); } // extensions msg.append("\nExtensions: "); List<?> extensionOIDs = basicResp.getExtensionOIDs(); if (extensionOIDs == null || extensionOIDs.size() == 0) { msg.append("-"); } else { int size = extensionOIDs.size(); for (int j = 0; j < size; j++) { ASN1ObjectIdentifier extensionOID = (ASN1ObjectIdentifier) extensionOIDs.get(j); String name = extensionOidNameMap.get(extensionOID); msg.append(name == null ? extensionOID.getId() : name); if (j != size - 1) { msg.append(", "); } } } } out(msg.toString()); } out(""); return null; }
From source file:org.xipki.ocsp.server.impl.certstore.CrlCertStatusStore.java
License:Open Source License
private synchronized void initializeStore(final boolean force) { Boolean updateCRLSuccessfull = null; try {// w w w . j a v a 2 s . c o m File fullCrlFile = new File(crlFilename); if (fullCrlFile.exists() == false) { // file does not exist LOG.warn("CRL File {} does not exist", crlFilename); return; } long newLastModifed = fullCrlFile.lastModified(); boolean deltaCrlExists; File deltaCrlFile = null; if (deltaCrlFilename != null) { deltaCrlFile = new File(deltaCrlFilename); deltaCrlExists = deltaCrlFile.exists(); } else { deltaCrlExists = false; } long newLastModifedOfDeltaCrl = deltaCrlExists ? deltaCrlFile.lastModified() : 0; if (force == false) { long now = System.currentTimeMillis(); if (newLastModifed != lastmodifiedOfCrlFile) { if (now - newLastModifed < 5000) { return; // still in copy process } } if (deltaCrlExists) { if (newLastModifedOfDeltaCrl != lastModifiedOfDeltaCrlFile) { if (now - newLastModifed < 5000) { return; // still in copy process } } } } // end if(force) byte[] newFp = sha1Fp(fullCrlFile); boolean crlFileChanged = Arrays.equals(newFp, fpOfCrlFile) == false; if (crlFileChanged == false) { auditLogPCIEvent(AuditLevel.INFO, "UPDATE_CERTSTORE", "current CRL is still up-to-date"); return; } byte[] newFpOfDeltaCrl = deltaCrlExists ? sha1Fp(deltaCrlFile) : null; boolean deltaCrlFileChanged = Arrays.equals(newFpOfDeltaCrl, fpOfDeltaCrlFile) == false; if (crlFileChanged == false && deltaCrlFileChanged == false) { return; } if (crlFileChanged) { LOG.info("CRL file {} has changed, updating of the CertStore required", crlFilename); } if (deltaCrlFileChanged) { LOG.info("DeltaCRL file {} has changed, updating of the CertStore required", deltaCrlFilename); } auditLogPCIEvent(AuditLevel.INFO, "UPDATE_CERTSTORE", "a newer version of CRL is available"); updateCRLSuccessfull = false; X509CRL crl = X509Util.parseCRL(crlFilename); BigInteger crlNumber; { byte[] octetString = crl.getExtensionValue(Extension.cRLNumber.getId()); if (octetString != null) { byte[] extnValue = DEROctetString.getInstance(octetString).getOctets(); crlNumber = ASN1Integer.getInstance(extnValue).getPositiveValue(); } else { crlNumber = null; } } X500Principal issuer = crl.getIssuerX500Principal(); boolean caAsCrlIssuer = true; if (caCert.getSubjectX500Principal().equals(issuer) == false) { caAsCrlIssuer = false; if (issuerCert == null) { throw new IllegalArgumentException("issuerCert could not be null"); } if (issuerCert.getSubjectX500Principal().equals(issuer) == false) { throw new IllegalArgumentException("The issuerCert and CRL do not match"); } } X509Certificate crlSignerCert = caAsCrlIssuer ? caCert : issuerCert; try { crl.verify(crlSignerCert.getPublicKey()); } catch (Exception e) { throw new CertStatusStoreException(e.getMessage(), e); } X509CRL deltaCrl = null; BigInteger deltaCrlNumber = null; BigInteger baseCrlNumber = null; if (deltaCrlExists) { if (crlNumber == null) { throw new CertStatusStoreException("baseCRL does not contains CRLNumber"); } deltaCrl = X509Util.parseCRL(deltaCrlFilename); byte[] octetString = deltaCrl.getExtensionValue(Extension.deltaCRLIndicator.getId()); if (octetString == null) { deltaCrl = null; LOG.warn("{} is a full CRL instead of delta CRL, ignore it", deltaCrlFilename); } else { byte[] extnValue = DEROctetString.getInstance(octetString).getOctets(); baseCrlNumber = ASN1Integer.getInstance(extnValue).getPositiveValue(); if (baseCrlNumber.equals(crlNumber) == false) { deltaCrl = null; LOG.info("{} is not a deltaCRL for the CRL {}, ignore it", deltaCrlFilename, crlFilename); } else { octetString = deltaCrl.getExtensionValue(Extension.cRLNumber.getId()); extnValue = DEROctetString.getInstance(octetString).getOctets(); deltaCrlNumber = ASN1Integer.getInstance(extnValue).getPositiveValue(); } } } if (crlFileChanged == false && deltaCrl == null) { return; } Date newThisUpdate; Date newNextUpdate; if (deltaCrl != null) { LOG.info("try to update CRL with CRLNumber={} and DeltaCRL with CRLNumber={}", crlNumber, deltaCrlNumber); newThisUpdate = deltaCrl.getThisUpdate(); newNextUpdate = deltaCrl.getNextUpdate(); } else { newThisUpdate = crl.getThisUpdate(); newNextUpdate = crl.getNextUpdate(); } // Construct CrlID ASN1EncodableVector v = new ASN1EncodableVector(); if (StringUtil.isNotBlank(crlUrl)) { v.add(new DERTaggedObject(true, 0, new DERIA5String(crlUrl, true))); } byte[] extValue = (deltaCrlExists ? deltaCrl : crl).getExtensionValue(Extension.cRLNumber.getId()); if (extValue != null) { ASN1Integer asn1CrlNumber = ASN1Integer.getInstance(removeTagAndLenFromExtensionValue(extValue)); v.add(new DERTaggedObject(true, 1, asn1CrlNumber)); } v.add(new DERTaggedObject(true, 2, new DERGeneralizedTime(newThisUpdate))); this.crlID = CrlID.getInstance(new DERSequence(v)); byte[] encodedCaCert; try { encodedCaCert = caCert.getEncoded(); } catch (CertificateEncodingException e) { throw new CertStatusStoreException(e.getMessage(), e); } Certificate bcCaCert = Certificate.getInstance(encodedCaCert); byte[] encodedName; try { encodedName = bcCaCert.getSubject().getEncoded("DER"); } catch (IOException e) { throw new CertStatusStoreException(e.getMessage(), e); } byte[] encodedKey = bcCaCert.getSubjectPublicKeyInfo().getPublicKeyData().getBytes(); Map<HashAlgoType, IssuerHashNameAndKey> newIssuerHashMap = new ConcurrentHashMap<>(); for (HashAlgoType hashAlgo : HashAlgoType.values()) { byte[] issuerNameHash = HashCalculator.hash(hashAlgo, encodedName); byte[] issuerKeyHash = HashCalculator.hash(hashAlgo, encodedKey); IssuerHashNameAndKey issuerHash = new IssuerHashNameAndKey(hashAlgo, issuerNameHash, issuerKeyHash); newIssuerHashMap.put(hashAlgo, issuerHash); } X500Name caName = X500Name.getInstance(caCert.getSubjectX500Principal().getEncoded()); // extract the certificate, only in full CRL, not in delta CRL boolean certsIncluded = false; Set<CertWithInfo> certs = new HashSet<>(); String oidExtnCerts = ObjectIdentifiers.id_xipki_ext_crlCertset.getId(); byte[] extnValue = crl.getExtensionValue(oidExtnCerts); if (extnValue == null) { // try the legacy OID extnValue = crl.getExtensionValue("1.3.6.1.4.1.12655.100"); } if (extnValue != null) { extnValue = removeTagAndLenFromExtensionValue(extnValue); certsIncluded = true; ASN1Set asn1Set = DERSet.getInstance(extnValue); int n = asn1Set.size(); for (int i = 0; i < n; i++) { ASN1Encodable asn1 = asn1Set.getObjectAt(i); Certificate bcCert; String profileName = null; try { ASN1Sequence seq = ASN1Sequence.getInstance(asn1); bcCert = Certificate.getInstance(seq.getObjectAt(0)); if (seq.size() > 1) { profileName = DERUTF8String.getInstance(seq.getObjectAt(1)).getString(); } } catch (IllegalArgumentException e) { // backwards compatibility bcCert = Certificate.getInstance(asn1); } if (caName.equals(bcCert.getIssuer()) == false) { throw new CertStatusStoreException("invalid entry in CRL Extension certs"); } if (profileName == null) { profileName = "UNKNOWN"; } certs.add(new CertWithInfo(bcCert, profileName)); } } if (certsDirname != null) { if (extnValue != null) { LOG.warn("ignore certsDir '{}', since certificates are included in CRL Extension certs", certsDirname); } else { certsIncluded = true; Set<CertWithInfo> tmpCerts = readCertWithInfosFromDir(caCert, certsDirname); certs.addAll(tmpCerts); } } Map<BigInteger, CrlCertStatusInfo> newCertStatusInfoMap = new ConcurrentHashMap<>(); // First consider only full CRL Set<? extends X509CRLEntry> revokedCertListInFullCRL = crl.getRevokedCertificates(); if (revokedCertListInFullCRL != null) { for (X509CRLEntry revokedCert : revokedCertListInFullCRL) { X500Principal thisIssuer = revokedCert.getCertificateIssuer(); if (thisIssuer != null && caCert.getSubjectX500Principal().equals(thisIssuer) == false) { throw new CertStatusStoreException("invalid CRLEntry"); } } } Set<? extends X509CRLEntry> revokedCertListInDeltaCRL = null; if (deltaCrl != null) { revokedCertListInDeltaCRL = deltaCrl.getRevokedCertificates(); if (revokedCertListInDeltaCRL != null) { for (X509CRLEntry revokedCert : revokedCertListInDeltaCRL) { X500Principal thisIssuer = revokedCert.getCertificateIssuer(); if (thisIssuer != null && caCert.getSubjectX500Principal().equals(thisIssuer) == false) { throw new CertStatusStoreException("invalid CRLEntry"); } } } } Map<BigInteger, X509CRLEntry> revokedCertMap = null; // merge the revoked list if (CollectionUtil.isNotEmpty(revokedCertListInDeltaCRL)) { revokedCertMap = new HashMap<BigInteger, X509CRLEntry>(); for (X509CRLEntry entry : revokedCertListInFullCRL) { revokedCertMap.put(entry.getSerialNumber(), entry); } for (X509CRLEntry entry : revokedCertListInDeltaCRL) { BigInteger serialNumber = entry.getSerialNumber(); java.security.cert.CRLReason reason = entry.getRevocationReason(); if (reason == java.security.cert.CRLReason.REMOVE_FROM_CRL) { revokedCertMap.remove(serialNumber); } else { revokedCertMap.put(serialNumber, entry); } } } Iterator<? extends X509CRLEntry> it = null; if (revokedCertMap != null) { it = revokedCertMap.values().iterator(); } else if (revokedCertListInFullCRL != null) { it = revokedCertListInFullCRL.iterator(); } if (it != null) { while (it.hasNext()) { X509CRLEntry revokedCert = it.next(); BigInteger serialNumber = revokedCert.getSerialNumber(); byte[] encodedExtnValue = revokedCert.getExtensionValue(Extension.reasonCode.getId()); int reasonCode; if (encodedExtnValue != null) { ASN1Enumerated enumerated = ASN1Enumerated .getInstance(removeTagAndLenFromExtensionValue(encodedExtnValue)); reasonCode = enumerated.getValue().intValue(); } else { reasonCode = CRLReason.UNSPECIFIED.getCode(); } Date revTime = revokedCert.getRevocationDate(); Date invalidityTime = null; extnValue = revokedCert.getExtensionValue(Extension.invalidityDate.getId()); if (extnValue != null) { extnValue = removeTagAndLenFromExtensionValue(extnValue); ASN1GeneralizedTime gTime = DERGeneralizedTime.getInstance(extnValue); try { invalidityTime = gTime.getDate(); } catch (ParseException e) { throw new CertStatusStoreException(e.getMessage(), e); } if (revTime.equals(invalidityTime)) { invalidityTime = null; } } CertWithInfo cert = null; if (certsIncluded) { for (CertWithInfo bcCert : certs) { if (bcCert.cert.getIssuer().equals(caName) && bcCert.cert.getSerialNumber().getPositiveValue().equals(serialNumber)) { cert = bcCert; break; } } if (cert == null) { LOG.info("could not find certificate (issuer = '{}', serialNumber = '{}'", X509Util.getRFC4519Name(caName), serialNumber); } else { certs.remove(cert); } } Map<HashAlgoType, byte[]> certHashes = (cert == null) ? null : getCertHashes(cert.cert); CertRevocationInfo revocationInfo = new CertRevocationInfo(reasonCode, revTime, invalidityTime); CrlCertStatusInfo crlCertStatusInfo = CrlCertStatusInfo.getRevokedCertStatusInfo(revocationInfo, (cert == null) ? null : cert.profileName, certHashes); newCertStatusInfoMap.put(serialNumber, crlCertStatusInfo); } // end while(it.hasNext()) } // end if(it) for (CertWithInfo cert : certs) { Map<HashAlgoType, byte[]> certHashes = getCertHashes(cert.cert); CrlCertStatusInfo crlCertStatusInfo = CrlCertStatusInfo.getGoodCertStatusInfo(cert.profileName, certHashes); newCertStatusInfoMap.put(cert.cert.getSerialNumber().getPositiveValue(), crlCertStatusInfo); } this.initialized = false; this.lastmodifiedOfCrlFile = newLastModifed; this.fpOfCrlFile = newFp; this.lastModifiedOfDeltaCrlFile = newLastModifedOfDeltaCrl; this.fpOfDeltaCrlFile = newFpOfDeltaCrl; this.issuerHashMap.clear(); this.issuerHashMap.putAll(newIssuerHashMap); this.certStatusInfoMap.clear(); this.certStatusInfoMap.putAll(newCertStatusInfoMap); this.thisUpdate = newThisUpdate; this.nextUpdate = newNextUpdate; this.initializationFailed = false; this.initialized = true; updateCRLSuccessfull = true; LOG.info("updated CertStore {}", getName()); } catch (Exception e) { final String message = "could not execute initializeStore()"; if (LOG.isErrorEnabled()) { LOG.error(LogUtil.buildExceptionLogFormat(message), e.getClass().getName(), e.getMessage()); } LOG.debug(message, e); initializationFailed = true; initialized = true; } finally { if (updateCRLSuccessfull != null) { AuditLevel auditLevel; AuditStatus auditStatus; String eventType = "UPDATE_CRL"; if (updateCRLSuccessfull) { auditLevel = AuditLevel.INFO; auditStatus = AuditStatus.FAILED; } else { auditLevel = AuditLevel.ERROR; auditStatus = AuditStatus.SUCCESSFUL; } auditLogPCIEvent(auditLevel, eventType, auditStatus.name()); } } }