List of usage examples for org.bouncycastle.asn1.x509 IssuingDistributionPoint getDistributionPoint
public DistributionPointName getDistributionPoint()
From source file:eu.europa.ec.markt.dss.validation102853.crl.CommonCRLSource.java
License:Open Source License
private void checkCriticalExtensions(final X509CRL x509CRL, final List<String> dpUrlStringList, final CRLValidity crlValidity) { final Set<String> criticalExtensionOIDs = x509CRL.getCriticalExtensionOIDs(); if (criticalExtensionOIDs == null || criticalExtensionOIDs.size() == 0) { crlValidity.unknownCriticalExtension = false; return;/*from w ww. j ava2s. co m*/ } final String issuingDistributionPointOid = PKIXExtensions.IssuingDistributionPoint_Id.toString(); for (final String criticalExtensionOID : criticalExtensionOIDs) { if (issuingDistributionPointOid.equals(criticalExtensionOID)) { final byte[] extensionValue = x509CRL.getExtensionValue(issuingDistributionPointOid); final ASN1OctetString asn1OctetStringExtensionValue = ASN1OctetString.getInstance(extensionValue); final IssuingDistributionPoint issuingDistributionPoint = IssuingDistributionPoint .getInstance(asn1OctetStringExtensionValue.getOctets()); final boolean onlyAttributeCerts = issuingDistributionPoint.onlyContainsAttributeCerts(); final boolean onlyCaCerts = issuingDistributionPoint.onlyContainsCACerts(); final boolean onlyUserCerts = issuingDistributionPoint.onlyContainsUserCerts(); final boolean indirectCrl = issuingDistributionPoint.isIndirectCRL(); final ReasonFlags reasonFlags = issuingDistributionPoint.getOnlySomeReasons(); final DistributionPointName distributionPointName = issuingDistributionPoint.getDistributionPoint(); boolean urlFound = false; if (FULL_NAME == distributionPointName.getType()) { final GeneralNames generalNames = (GeneralNames) distributionPointName.getName(); if (generalNames != null) { final GeneralName[] names = generalNames.getNames(); if (names != null && names.length > 0) { for (final GeneralName generalName : names) { if (uniformResourceIdentifier == generalName.getTagNo()) { final String name = generalName.getName().toString(); if (DSSUtils.isNotEmpty(dpUrlStringList) && dpUrlStringList.contains(name)) { urlFound = true; } } } } } } if (!(onlyAttributeCerts && onlyCaCerts && onlyUserCerts && indirectCrl) && reasonFlags == null && urlFound) { crlValidity.unknownCriticalExtension = false; } continue; } crlValidity.unknownCriticalExtension = true; } }
From source file:eu.europa.esig.dss.x509.crl.CRLUtils.java
License:Open Source License
private static void checkCriticalExtensions(final X509CRL x509CRL, final CRLValidity crlValidity) { final Set<String> criticalExtensionOIDs = x509CRL.getCriticalExtensionOIDs(); if ((criticalExtensionOIDs == null) || (criticalExtensionOIDs.size() == 0)) { crlValidity.setUnknownCriticalExtension(false); } else {/*from w w w . j a va2 s . c o m*/ byte[] extensionValue = x509CRL.getExtensionValue(Extension.issuingDistributionPoint.getId()); IssuingDistributionPoint issuingDistributionPoint = IssuingDistributionPoint .getInstance(ASN1OctetString.getInstance(extensionValue).getOctets()); final boolean onlyAttributeCerts = issuingDistributionPoint.onlyContainsAttributeCerts(); final boolean onlyCaCerts = issuingDistributionPoint.onlyContainsCACerts(); final boolean onlyUserCerts = issuingDistributionPoint.onlyContainsUserCerts(); final boolean indirectCrl = issuingDistributionPoint.isIndirectCRL(); ReasonFlags onlySomeReasons = issuingDistributionPoint.getOnlySomeReasons(); DistributionPointName distributionPoint = issuingDistributionPoint.getDistributionPoint(); boolean urlFound = false; if (DistributionPointName.FULL_NAME == distributionPoint.getType()) { final GeneralNames generalNames = (GeneralNames) distributionPoint.getName(); if ((generalNames != null) && (generalNames.getNames() != null) && (generalNames.getNames().length > 0)) { for (GeneralName generalName : generalNames.getNames()) { if (GeneralName.uniformResourceIdentifier == generalName.getTagNo()) { urlFound = true; } } } } if (!(onlyAttributeCerts && onlyCaCerts && onlyUserCerts && indirectCrl) && (onlySomeReasons == null) && urlFound) { crlValidity.setUnknownCriticalExtension(false); } } }
From source file:mitm.common.security.crl.PKIXRevocationChecker.java
License:Open Source License
private boolean acceptCRL_6_3_3_b(X509Certificate targetCertificate, X509CRL crl) throws IOException { boolean match = false; if (X509CRLInspector.isDeltaCRL(crl)) { /* CRL is not complete because it's a delta CRL */ return false; }// w w w . j ava 2 s . c o m if (!crl.getIssuerX500Principal().equals(targetCertificate.getIssuerX500Principal())) { logger.debug("CRL issuer and certificate issuer do not match."); return false; } IssuingDistributionPoint idp = X509CRLInspector.getIssuingDistributionPoint(crl); /* if there is no IssuingDistributionPoint there is always a match */ if (idp == null) { return true; } DistributionPointName idpn = idp.getDistributionPoint(); CRLDistPoint crlDistPoint = X509CertificateInspector.getCRLDistibutionPoints(targetCertificate); DistributionPoint[] dps = null; if (crlDistPoint != null) { dps = crlDistPoint.getDistributionPoints(); } if (dps != null) { for (DistributionPoint dp : dps) { if (dp == null) { logger.debug("Distributionpoint is null."); continue; } if (dp.getCRLIssuer() != null) { /* we do not support indirect CRLs */ logger.debug("CRL issuer should only be used for indirect CRLs."); continue; } DistributionPointName dpn = dp.getDistributionPoint(); if (idp != null) { if (idpn != null && dpn != null) { X500Principal issuer = targetCertificate.getIssuerX500Principal(); if (hasMatchingName(idpn, dpn, issuer)) { match = true; break; } } } } if (!match) { logger.debug("The CRL did not contain matching DistributionPoint names."); } } else { match = (idpn == null); } BasicConstraints basicConstraints = X509CertificateInspector.getBasicConstraints(targetCertificate); if (idp != null) { /* if basicConstraints is null assume it's a user certificate */ if (idp.onlyContainsCACerts() && ((basicConstraints != null && !basicConstraints.isCA()) | basicConstraints == null)) { logger.debug("Certificate is a user certificate but CRL only contains CA certificate."); match = false; } if (idp.onlyContainsUserCerts() && basicConstraints != null && basicConstraints.isCA()) { logger.debug("Certificate is a CA but CRL only contains user certificates."); match = false; } if (idp.onlyContainsAttributeCerts()) { logger.debug("Certificate only contains attribute certs."); match = false; } } return match; }
From source file:mitm.common.security.crl.X509CRLInspectorTest.java
License:Open Source License
@Test public void testIssuingDistributionPoint2() throws CertificateException, NoSuchProviderException, SecurityFactoryFactoryException, CRLException, IOException { File file = new File("test/resources/testdata/PKITS/crls/distributionPoint1CACRL.crl"); X509CRL crl = TestUtils.loadX509CRL(file); assertNotNull(crl);//from w w w . ja v a 2s. com IssuingDistributionPoint idp = X509CRLInspector.getIssuingDistributionPoint(crl); assertFalse(idp.isIndirectCRL()); DistributionPointName dp = idp.getDistributionPoint(); GeneralName[] genNames = GeneralNames.getInstance(dp.getName()).getNames(); assertEquals(1, genNames.length); assertEquals(DistributionPointName.FULL_NAME, dp.getType()); }
From source file:net.sf.keystore_explorer.crypto.x509.X509Ext.java
License:Open Source License
private String getIssuingDistributionPointStringValue(byte[] value) throws IOException { // @formatter:off /*/*from ww w.j ava2 s.c om*/ * IssuingDistributionPoint ::= ASN1Sequence { * distributionPoint [0] DistributionPointName OPTIONAL, * onlyContainsUserCerts [1] ASN1Boolean DEFAULT FALSE, * onlyContainsCACerts [2] ASN1Boolean DEFAULT FALSE, * onlySomeReasons [3] ReasonFlags OPTIONAL, * indirectCRL [4] ASN1Boolean DEFAULT FALSE, * onlyContainsAttributeCerts [5] ASN1Boolean DEFAULT FALSE } */ // @formatter:on /* * Getting any DEFAULTS returns a false ASN1Boolean when no value * present which saves the bother of a null check */ StringBuilder sb = new StringBuilder(); IssuingDistributionPoint issuingDistributionPoint = IssuingDistributionPoint.getInstance(value); DistributionPointName distributionPointName = issuingDistributionPoint.getDistributionPoint(); if (distributionPointName != null) { // Optional sb.append(getDistributionPointNameString(distributionPointName, "")); } boolean onlyContainsUserCerts = issuingDistributionPoint.onlyContainsUserCerts(); sb.append(MessageFormat.format(res.getString("OnlyContainsUserCerts"), onlyContainsUserCerts)); sb.append(NEWLINE); boolean onlyContainsCaCerts = issuingDistributionPoint.onlyContainsCACerts(); sb.append(MessageFormat.format(res.getString("OnlyContainsCaCerts"), onlyContainsCaCerts)); sb.append(NEWLINE); ReasonFlags onlySomeReasons = issuingDistributionPoint.getOnlySomeReasons(); if (onlySomeReasons != null) {// Optional sb.append(res.getString("OnlySomeReasons")); sb.append(NEWLINE); String[] reasonFlags = getReasonFlagsStrings(onlySomeReasons); for (String reasonFlag : reasonFlags) { sb.append(INDENT); sb.append(reasonFlag); sb.append(NEWLINE); } } boolean indirectCrl = issuingDistributionPoint.isIndirectCRL(); sb.append(MessageFormat.format(res.getString("IndirectCrl"), indirectCrl)); sb.append(NEWLINE); boolean onlyContainsAttributeCerts = issuingDistributionPoint.onlyContainsAttributeCerts(); sb.append(MessageFormat.format(res.getString("OnlyContainsAttributeCerts"), onlyContainsAttributeCerts)); sb.append(NEWLINE); return sb.toString(); }
From source file:org.cesecore.certificates.ca.X509CATest.java
License:Open Source License
/** * Tests the extension CRL Distribution Point on CRLs * // ww w . j a v a 2 s . c o m */ @Test public void testCRLDistPointOnCRL() throws Exception { final CryptoToken cryptoToken = getNewCryptoToken(); final X509CA ca = createTestCA(cryptoToken, CADN); final String cdpURL = "http://www.ejbca.org/foo/bar.crl"; X509CAInfo cainfo = (X509CAInfo) ca.getCAInfo(); cainfo.setUseCrlDistributionPointOnCrl(true); cainfo.setDefaultCRLDistPoint(cdpURL); ca.updateCA(cryptoToken, cainfo); Collection<RevokedCertInfo> revcerts = new ArrayList<RevokedCertInfo>(); X509CRLHolder crl = ca.generateCRL(cryptoToken, revcerts, 1); assertNotNull(crl); X509CRL xcrl = CertTools.getCRLfromByteArray(crl.getEncoded()); byte[] cdpDER = xcrl.getExtensionValue(Extension.issuingDistributionPoint.getId()); assertNotNull("CRL has no distribution points", cdpDER); ASN1InputStream aIn = new ASN1InputStream(new ByteArrayInputStream(cdpDER)); ASN1OctetString octs = (ASN1OctetString) aIn.readObject(); aIn = new ASN1InputStream(new ByteArrayInputStream(octs.getOctets())); IssuingDistributionPoint cdp = IssuingDistributionPoint.getInstance((ASN1Sequence) aIn.readObject()); DistributionPointName distpoint = cdp.getDistributionPoint(); assertEquals("CRL distribution point is different", cdpURL, ((DERIA5String) ((GeneralNames) distpoint.getName()).getNames()[0].getName()).getString()); cainfo.setUseCrlDistributionPointOnCrl(false); cainfo.setDefaultCRLDistPoint(null); ca.updateCA(cryptoToken, cainfo); crl = ca.generateCRL(cryptoToken, revcerts, 1); assertNotNull(crl); xcrl = CertTools.getCRLfromByteArray(crl.getEncoded()); assertNull("CRL has distribution points", xcrl.getExtensionValue(Extension.cRLDistributionPoints.getId())); }
From source file:org.cesecore.certificates.crl.CrlCreateSessionCRLTest.java
License:Open Source License
/** * Tests the extension CRL Distribution Point on CRLs *//*from www . jav a2 s .c o m*/ @Test public void testCRLDistPointOnCRL() throws Exception { final String cdpURL = "http://www.ejbca.org/foo/bar.crl"; X509CAInfo cainfo = (X509CAInfo) testx509ca.getCAInfo(); X509CRL x509crl; byte[] cdpDER; cainfo.setUseCrlDistributionPointOnCrl(true); cainfo.setDefaultCRLDistPoint(cdpURL); caSession.editCA(roleMgmgToken, cainfo); crlCreateSession.forceCRL(roleMgmgToken, testx509ca.getCAId()); x509crl = CertTools.getCRLfromByteArray(crlStoreSession.getLastCRL(cainfo.getSubjectDN(), false)); cdpDER = x509crl.getExtensionValue(X509Extensions.IssuingDistributionPoint.getId()); assertNotNull("CRL has no distribution points", cdpDER); ASN1InputStream aIn = new ASN1InputStream(new ByteArrayInputStream(cdpDER)); ASN1OctetString octs = (ASN1OctetString) aIn.readObject(); aIn = new ASN1InputStream(new ByteArrayInputStream(octs.getOctets())); IssuingDistributionPoint cdp = new IssuingDistributionPoint((ASN1Sequence) aIn.readObject()); DistributionPointName distpoint = cdp.getDistributionPoint(); assertEquals("CRL distribution point is different", cdpURL, ((DERIA5String) ((GeneralNames) distpoint.getName()).getNames()[0].getName()).getString()); cainfo.setUseCrlDistributionPointOnCrl(false); cainfo.setDefaultCRLDistPoint(""); caSession.editCA(roleMgmgToken, cainfo); crlCreateSession.forceCRL(roleMgmgToken, testx509ca.getCAId()); x509crl = CertTools.getCRLfromByteArray(crlStoreSession.getLastCRL(cainfo.getSubjectDN(), false)); assertNull("CRL has distribution points", x509crl.getExtensionValue(X509Extensions.CRLDistributionPoints.getId())); }
From source file:org.ejbca.core.ejb.ca.crl.CreateCRLSessionTest.java
License:Open Source License
/** * Tests the extension CRL Distribution Point on CRLs * //from w ww .j av a 2 s .co m * @throws Exception * error */ public void test06CRLDistPointOnCRL() throws Exception { log.trace(">test06CRLDistPointOnCRL()"); final String cdpURL = "http://www.ejbca.org/foo/bar.crl"; X509CAInfo cainfo = (X509CAInfo) ca.getCAInfo(); X509CRL x509crl; byte[] cdpDER; cainfo.setUseCrlDistributionPointOnCrl(true); cainfo.setDefaultCRLDistPoint(cdpURL); caAdminSession.editCA(admin, cainfo); ca = caSession.getCA(admin, caid); crlCreateSession.run(admin, ca); x509crl = CertTools.getCRLfromByteArray(crlSession.getLastCRL(admin, cainfo.getSubjectDN(), false)); cdpDER = x509crl.getExtensionValue(X509Extensions.IssuingDistributionPoint.getId()); assertNotNull("CRL has no distribution points", cdpDER); ASN1InputStream aIn = new ASN1InputStream(new ByteArrayInputStream(cdpDER)); ASN1OctetString octs = (ASN1OctetString) aIn.readObject(); aIn = new ASN1InputStream(new ByteArrayInputStream(octs.getOctets())); IssuingDistributionPoint cdp = new IssuingDistributionPoint((ASN1Sequence) aIn.readObject()); DistributionPointName distpoint = cdp.getDistributionPoint(); assertEquals("CRL distribution point is different", cdpURL, ((DERIA5String) ((GeneralNames) distpoint.getName()).getNames()[0].getName()).getString()); cainfo.setUseCrlDistributionPointOnCrl(false); cainfo.setDefaultCRLDistPoint(""); caAdminSession.editCA(admin, cainfo); ca = caSession.getCA(admin, caid); crlCreateSession.run(admin, ca); x509crl = CertTools.getCRLfromByteArray(crlSession.getLastCRL(admin, cainfo.getSubjectDN(), false)); assertNull("CRL has distribution points", x509crl.getExtensionValue(X509Extensions.CRLDistributionPoints.getId())); log.trace("<test06CRLDistPointOnCRL()"); }
From source file:org.ejbca.core.ejb.crl.PublishingCrlSessionTest.java
License:Open Source License
/** * Tests the extension CRL Distribution Point on CRLs *///from w w w. j a va 2s. c o m @Test public void testCRLDistPointOnCRL() throws Exception { final String cdpURL = "http://www.ejbca.org/foo/bar.crl"; X509CAInfo cainfo = (X509CAInfo) testx509ca.getCAInfo(); X509CRL x509crl; byte[] cdpDER; cainfo.setUseCrlDistributionPointOnCrl(true); cainfo.setDefaultCRLDistPoint(cdpURL); caSession.editCA(roleMgmgToken, cainfo); publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId()); x509crl = CertTools.getCRLfromByteArray(crlStoreSession.getLastCRL(cainfo.getSubjectDN(), false)); cdpDER = x509crl.getExtensionValue(Extension.issuingDistributionPoint.getId()); assertNotNull("CRL has no distribution points", cdpDER); ASN1InputStream aIn = new ASN1InputStream(new ByteArrayInputStream(cdpDER)); ASN1OctetString octs = (ASN1OctetString) aIn.readObject(); aIn = new ASN1InputStream(new ByteArrayInputStream(octs.getOctets())); IssuingDistributionPoint cdp = IssuingDistributionPoint.getInstance((ASN1Sequence) aIn.readObject()); DistributionPointName distpoint = cdp.getDistributionPoint(); assertEquals("CRL distribution point is different", cdpURL, ((DERIA5String) ((GeneralNames) distpoint.getName()).getNames()[0].getName()).getString()); cainfo.setUseCrlDistributionPointOnCrl(false); cainfo.setDefaultCRLDistPoint(""); caSession.editCA(roleMgmgToken, cainfo); publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId()); x509crl = CertTools.getCRLfromByteArray(crlStoreSession.getLastCRL(cainfo.getSubjectDN(), false)); assertNull("CRL has distribution points", x509crl.getExtensionValue(Extension.cRLDistributionPoints.getId())); }