List of usage examples for org.bouncycastle.asn1.x509 X509Extension cRLNumber
ASN1ObjectIdentifier cRLNumber
To view the source code for org.bouncycastle.asn1.x509 X509Extension cRLNumber.
Click Source Link
From source file:mitm.common.security.crl.PKIXRevocationChecker.java
License:Open Source License
private boolean hasUnsupportedCriticalExtensions(X509CRL crl) { Set<String> criticalExtensions = crl.getCriticalExtensionOIDs(); if (criticalExtensions != null) { criticalExtensions.remove(X509Extension.issuingDistributionPoint.getId()); criticalExtensions.remove(X509Extension.deltaCRLIndicator.getId()); criticalExtensions.remove(X509Extension.cRLNumber.getId()); /*//from w w w . j av a 2 s . c o m * Some issuers (Verisign) add a critcal Authority Key Identifier to the CRL. * * RFC 3280 explicitly says: * * 4.2.1.1 Authority Key Identifier * .... * This extension MUST NOT be marked critical. * * We will therefore ignore this extension if it's critical * */ criticalExtensions.remove(X509Extension.authorityKeyIdentifier.getId()); } return criticalExtensions != null && criticalExtensions.size() > 0; }
From source file:mitm.common.security.crl.X509CRLInspector.java
License:Open Source License
/** * Returns the crl number extension if present, null if not present */// w w w . jav a 2 s .c o m public static BigInteger getCRLNumber(X509CRL crl) throws IOException { byte[] derCRLNumber = crl.getExtensionValue(X509Extension.cRLNumber.getId()); BigInteger crlNumber = null; if (derCRLNumber != null) { ASN1Encodable extension = DERUtils.fromExtensionValue(derCRLNumber); /* CRL number must be a positive number */ crlNumber = CRLNumber.getInstance(extension).getCRLNumber(); } return crlNumber; }
From source file:net.ripe.rpki.commons.crypto.crl.X509Crl.java
License:BSD License
public BigInteger getNumber() { try {/*ww w.ja v a 2 s .co m*/ byte[] extensionValue = getCrl().getExtensionValue(X509Extension.cRLNumber.getId()); if (extensionValue == null) { return null; } ASN1Integer number = (ASN1Integer) X509ExtensionUtil.fromExtensionValue(extensionValue); return number.getPositiveValue(); } catch (IOException e) { throw new X509CrlException("cannot get CRLNumber extension from CRL", e); } }
From source file:net.ripe.rpki.commons.crypto.crl.X509CrlBuilder.java
License:BSD License
private X509v2CRLBuilder createCrlGenerator() throws CertIOException { X509v2CRLBuilder generator = new X509v2CRLBuilder(X500Name.getInstance(issuerDN.getEncoded()), thisUpdateTime.toDate());/*from w ww . j ava 2s . c o m*/ generator.setNextUpdate(nextUpdateTime.toDate()); generator.addExtension(X509Extension.authorityKeyIdentifier, false, authorityKeyIdentifier); generator.addExtension(X509Extension.cRLNumber, false, crlNumber); for (X509Crl.Entry entry : entries.values()) { generator.addCRLEntry(entry.getSerialNumber(), entry.getRevocationDateTime().toDate(), 0); } return generator; }
From source file:org.candlepin.CRLBenchmark.java
License:Open Source License
@Setup(Level.Trial) public void buildMassiveCRL() throws Exception { X500Name issuer = new X500Name("CN=Test Issuer"); KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA"); generator.initialize(2048);/*from w w w . j a v a2s . com*/ KeyPair keyPair = generator.generateKeyPair(); Provider bc = new BouncyCastleProvider(); ContentSigner signer = new JcaContentSignerBuilder("SHA256WithRSAEncryption").setProvider(bc) .build(keyPair.getPrivate()); X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuer, new Date()); crlBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(keyPair.getPublic())); /* With a CRL number of 127, incrementing it should cause the number of bytes in the length * portion of the TLV to increase by one.*/ crlBuilder.addExtension(X509Extension.cRLNumber, false, new CRLNumber(new BigInteger("127"))); for (int i = 0; i < 2000000; i++) { crlBuilder.addCRLEntry(new BigInteger(String.valueOf(i)), new Date(), CRLReason.unspecified); } X509CRLHolder holder = crlBuilder.build(signer); X509CRL crl = new JcaX509CRLConverter().setProvider(bc).getCRL(holder); crlFile = File.createTempFile("crl", ".der"); System.out.println("\nWrote test crl to " + crlFile.getAbsolutePath()); FileUtils.writeByteArrayToFile(crlFile, crl.getEncoded()); }
From source file:org.candlepin.CRLWriteBenchmark.java
License:Open Source License
@Setup(Level.Trial) public void buildMassiveCRL() throws Exception { issuer = new X500Name("CN=Test Issuer"); KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA"); generator.initialize(2048);/*from ww w .j a v a 2s .com*/ KeyPair keyPair = generator.generateKeyPair(); bc = new BouncyCastleProvider(); signer = new JcaContentSignerBuilder("SHA256WithRSAEncryption").setProvider(bc).build(keyPair.getPrivate()); X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuer, new Date()); crlBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(keyPair.getPublic())); /* With a CRL number of 127, incrementing it should cause the number of bytes in the length * portion of the TLV to increase by one.*/ crlBuilder.addExtension(X509Extension.cRLNumber, false, new CRLNumber(new BigInteger("127"))); for (int i = 0; i < 2000000; i++) { crlBuilder.addCRLEntry(new BigInteger(String.valueOf(i)), new Date(), CRLReason.unspecified); } X509CRLHolder holder = crlBuilder.build(signer); X509CRL crl = new JcaX509CRLConverter().setProvider(bc).getCRL(holder); crlFile = File.createTempFile("crl", ".der"); System.out.println("\nWrote test crl to " + crlFile.getAbsolutePath()); FileUtils.writeByteArrayToFile(crlFile, crl.getEncoded()); }
From source file:org.candlepin.util.X509CRLEntryStreamTest.java
License:Open Source License
@Test public void testIterateOverEmptyCrl() throws Exception { X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuer, new Date()); crlBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(keyPair.getPublic())); crlBuilder.addExtension(X509Extension.cRLNumber, false, new CRLNumber(new BigInteger("127"))); X509CRLHolder holder = crlBuilder.build(signer); File noUpdateTimeCrl = new File(folder.getRoot(), "test.crl"); FileUtils.writeByteArrayToFile(noUpdateTimeCrl, holder.getEncoded()); X509CRLEntryStream stream = new X509CRLEntryStream(noUpdateTimeCrl); try {/* w ww . ja va 2 s.co m*/ Set<BigInteger> streamedSerials = new HashSet<BigInteger>(); while (stream.hasNext()) { streamedSerials.add(stream.next().getSerialNumber()); } assertEquals(0, streamedSerials.size()); } finally { stream.close(); } }
From source file:org.candlepin.util.X509CRLEntryStreamTest.java
License:Open Source License
@Test public void testCRLwithoutUpdateTime() throws Exception { X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuer, new Date()); crlBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(keyPair.getPublic())); crlBuilder.addExtension(X509Extension.cRLNumber, false, new CRLNumber(new BigInteger("127"))); crlBuilder.addCRLEntry(new BigInteger("100"), new Date(), CRLReason.unspecified); X509CRLHolder holder = crlBuilder.build(signer); File noUpdateTimeCrl = new File(folder.getRoot(), "test.crl"); FileUtils.writeByteArrayToFile(noUpdateTimeCrl, holder.getEncoded()); X509CRLEntryStream stream = new X509CRLEntryStream(noUpdateTimeCrl); try {/*from ww w .j a v a2 s. c o m*/ Set<BigInteger> streamedSerials = new HashSet<BigInteger>(); while (stream.hasNext()) { streamedSerials.add(stream.next().getSerialNumber()); } assertEquals(1, streamedSerials.size()); assertTrue(streamedSerials.contains(new BigInteger("100"))); } finally { stream.close(); } }
From source file:org.candlepin.util.X509CRLStreamWriter.java
License:Open Source License
protected void writeToEmptyCrl(OutputStream out) throws IOException { ASN1InputStream asn1in = null; try {/* w ww.j av a 2s . c om*/ asn1in = new ASN1InputStream(crlIn); DERSequence certListSeq = (DERSequence) asn1in.readObject(); CertificateList certList = new CertificateList(certListSeq); X509CRLHolder oldCrl = new X509CRLHolder(certList); X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(oldCrl.getIssuer(), new Date()); crlBuilder.addCRL(oldCrl); Date now = new Date(); Date oldNextUpdate = certList.getNextUpdate().getDate(); Date oldThisUpdate = certList.getThisUpdate().getDate(); Date nextUpdate = new Date(now.getTime() + (oldNextUpdate.getTime() - oldThisUpdate.getTime())); crlBuilder.setNextUpdate(nextUpdate); for (Object o : oldCrl.getExtensionOIDs()) { ASN1ObjectIdentifier oid = (ASN1ObjectIdentifier) o; X509Extension ext = oldCrl.getExtension(oid); if (oid.equals(X509Extension.cRLNumber)) { DEROctetString octet = (DEROctetString) ext.getValue().getDERObject(); DERInteger currentNumber = (DERInteger) DERTaggedObject.fromByteArray(octet.getOctets()); DERInteger nextNumber = new DERInteger(currentNumber.getValue().add(BigInteger.ONE)); crlBuilder.addExtension(oid, ext.isCritical(), nextNumber); } else if (oid.equals(X509Extension.authorityKeyIdentifier)) { crlBuilder.addExtension(oid, ext.isCritical(), new AuthorityKeyIdentifierStructure(ext.getValue().getDEREncoded())); } } for (DERSequence entry : newEntries) { // XXX: This is all a bit messy considering the user already passed in the serial, date // and reason. BigInteger serial = ((DERInteger) entry.getObjectAt(0)).getValue(); Date revokeDate = ((Time) entry.getObjectAt(1)).getDate(); int reason = CRLReason.unspecified; if (entry.size() == 3) { X509Extensions extensions = (X509Extensions) entry.getObjectAt(2); X509Extension reasonExt = extensions.getExtension(X509Extension.reasonCode); if (reasonExt != null) { reason = ((DEREnumerated) reasonExt.getParsedValue()).getValue().intValue(); } } crlBuilder.addCRLEntry(serial, revokeDate, reason); } RSAKeyParameters keyParams = new RSAKeyParameters(true, key.getModulus(), key.getPrivateExponent()); signingAlg = oldCrl.toASN1Structure().getSignatureAlgorithm(); digestAlg = new DefaultDigestAlgorithmIdentifierFinder().find(signingAlg); ContentSigner s; try { s = new BcRSAContentSignerBuilder(signingAlg, digestAlg).build(keyParams); X509CRLHolder newCrl = crlBuilder.build(s); out.write(newCrl.getEncoded()); } catch (OperatorCreationException e) { throw new IOException("Could not sign CRL", e); } } finally { IOUtils.closeQuietly(asn1in); } }
From source file:org.candlepin.util.X509CRLStreamWriter.java
License:Open Source License
/** * This method updates the crlNumber and authorityKeyIdentifier extensions. Any * other extensions are copied over unchanged. * @param extensions//from www . j av a 2 s . co m * @return * @throws IOException */ @SuppressWarnings("rawtypes") protected byte[] updateExtensions(byte[] obj) throws IOException { DERTaggedObject taggedExts = (DERTaggedObject) DERTaggedObject.fromByteArray(obj); DERSequence seq = (DERSequence) taggedExts.getObject(); ASN1EncodableVector modifiedExts = new ASN1EncodableVector(); // Now we need to read the extensions and find the CRL number and increment it, // and determine if its length changed. Enumeration objs = seq.getObjects(); while (objs.hasMoreElements()) { DERSequence ext = (DERSequence) objs.nextElement(); DERObjectIdentifier oid = (DERObjectIdentifier) ext.getObjectAt(0); if (X509Extension.cRLNumber.equals(oid)) { DEROctetString s = (DEROctetString) ext.getObjectAt(1); DERInteger i = (DERInteger) DERTaggedObject.fromByteArray(s.getOctets()); DERInteger newCrlNumber = new DERInteger(i.getValue().add(BigInteger.ONE)); X509Extension newNumberExt = new X509Extension(false, new DEROctetString(newCrlNumber.getDEREncoded())); ASN1EncodableVector crlNumber = new ASN1EncodableVector(); crlNumber.add(X509Extension.cRLNumber); crlNumber.add(newNumberExt.getValue()); modifiedExts.add(new DERSequence(crlNumber)); } else if (X509Extension.authorityKeyIdentifier.equals(oid)) { X509Extension newAuthorityKeyExt = new X509Extension(false, new DEROctetString(akiStructure.getDEREncoded())); ASN1EncodableVector aki = new ASN1EncodableVector(); aki.add(X509Extension.authorityKeyIdentifier); aki.add(newAuthorityKeyExt.getValue()); modifiedExts.add(new DERSequence(aki)); } else { modifiedExts.add(ext); } } DERSequence seqOut = new DERSequence(modifiedExts); DERTaggedObject out = new DERTaggedObject(true, 0, seqOut); return out.getDEREncoded(); }