List of usage examples for org.bouncycastle.asn1.x509 X509Extensions FreshestCRL
ASN1ObjectIdentifier FreshestCRL
To view the source code for org.bouncycastle.asn1.x509 X509Extensions FreshestCRL.
Click Source Link
From source file:org.cesecore.certificates.crl.CrlCreateSessionCRLTest.java
License:Open Source License
/** * Tests the extension Freshest CRL DP.//w w w .jav a 2 s. c om */ @Test public void testCRLFreshestCRL() throws Exception { final String cdpURL = "http://www.ejbca.org/foo/bar.crl"; final String freshestCdpURL = "http://www.ejbca.org/foo/delta.crl"; X509CAInfo cainfo = (X509CAInfo) testx509ca.getCAInfo(); X509CRL x509crl; byte[] cFreshestDpDER; cainfo.setUseCrlDistributionPointOnCrl(true); cainfo.setDefaultCRLDistPoint(cdpURL); cainfo.setCADefinedFreshestCRL(freshestCdpURL); caSession.editCA(roleMgmgToken, cainfo); crlCreateSession.forceCRL(roleMgmgToken, testx509ca.getCAId()); x509crl = CertTools.getCRLfromByteArray(crlStoreSession.getLastCRL(cainfo.getSubjectDN(), false)); cFreshestDpDER = x509crl.getExtensionValue(X509Extensions.FreshestCRL.getId()); assertNotNull("CRL has no Freshest Distribution Point", cFreshestDpDER); ASN1InputStream aIn = new ASN1InputStream(new ByteArrayInputStream(cFreshestDpDER)); ASN1OctetString octs = (ASN1OctetString) aIn.readObject(); aIn = new ASN1InputStream(new ByteArrayInputStream(octs.getOctets())); CRLDistPoint cdp = new CRLDistPoint((ASN1Sequence) aIn.readObject()); DistributionPoint[] distpoints = cdp.getDistributionPoints(); assertEquals("More CRL Freshest distributions points than expected", 1, distpoints.length); assertEquals("Freshest CRL distribution point is different", freshestCdpURL, ((DERIA5String) ((GeneralNames) distpoints[0].getDistributionPoint().getName()).getNames()[0] .getName()).getString()); }
From source file:org.ejbca.core.ejb.ca.crl.CreateCRLSessionTest.java
License:Open Source License
/** * Tests the extension Freshest CRL DP.//from w w w .j a va 2 s . c o m * * @throws Exception * in case of error. */ public void test07CRLFreshestCRL() throws Exception { log.trace(">test07CRLFreshestCRL()"); final String cdpURL = "http://www.ejbca.org/foo/bar.crl"; final String freshestCdpURL = "http://www.ejbca.org/foo/delta.crl"; X509CAInfo cainfo = (X509CAInfo) caAdminSession.getCAInfo(admin, caid); X509CRL x509crl; byte[] cFreshestDpDER; cainfo.setUseCrlDistributionPointOnCrl(true); cainfo.setDefaultCRLDistPoint(cdpURL); cainfo.setCADefinedFreshestCRL(freshestCdpURL); caAdminSession.editCA(admin, cainfo); ca = caSession.getCA(admin, caid); crlCreateSession.run(admin, ca); x509crl = CertTools.getCRLfromByteArray(crlSession.getLastCRL(admin, cainfo.getSubjectDN(), false)); cFreshestDpDER = x509crl.getExtensionValue(X509Extensions.FreshestCRL.getId()); assertNotNull("CRL has no Freshest Distribution Point", cFreshestDpDER); ASN1InputStream aIn = new ASN1InputStream(new ByteArrayInputStream(cFreshestDpDER)); ASN1OctetString octs = (ASN1OctetString) aIn.readObject(); aIn = new ASN1InputStream(new ByteArrayInputStream(octs.getOctets())); CRLDistPoint cdp = new CRLDistPoint((ASN1Sequence) aIn.readObject()); DistributionPoint[] distpoints = cdp.getDistributionPoints(); assertEquals("More CRL Freshest distributions points than expected", 1, distpoints.length); assertEquals("Freshest CRL distribution point is different", freshestCdpURL, ((DERIA5String) ((GeneralNames) distpoints[0].getDistributionPoint().getName()).getNames()[0] .getName()).getString()); log.trace("<test07CRLFreshestCRL()"); }
From source file:org.ejbca.core.model.ca.caadmin.X509CA.java
License:Open Source License
/** Generate a CRL or a deltaCRL * /*www . j ava 2 s . c o m*/ * @param certs list of revoked certificates * @param crlnumber CRLNumber for this CRL * @param isDeltaCRL true if we should generate a DeltaCRL * @param basecrlnumber caseCRLNumber for a delta CRL, use 0 for full CRLs * @param certProfile certificate profile for CRL Distribution point in the CRL, or null * @return CRL * @throws CATokenOfflineException * @throws IllegalKeyStoreException * @throws IOException * @throws SignatureException * @throws NoSuchProviderException * @throws InvalidKeyException * @throws CRLException * @throws NoSuchAlgorithmException */ private CRL generateCRL(Collection<RevokedCertInfo> certs, long crlPeriod, int crlnumber, boolean isDeltaCRL, int basecrlnumber) throws CATokenOfflineException, IllegalKeyStoreException, IOException, SignatureException, NoSuchProviderException, InvalidKeyException, CRLException, NoSuchAlgorithmException { final String sigAlg = getCAInfo().getCATokenInfo().getSignatureAlgorithm(); if (log.isDebugEnabled()) { log.debug("generateCRL(" + certs.size() + ", " + crlPeriod + ", " + crlnumber + ", " + isDeltaCRL + ", " + basecrlnumber); } Date thisUpdate = new Date(); Date nextUpdate = new Date(); nextUpdate.setTime(nextUpdate.getTime() + crlPeriod); X509V2CRLGenerator crlgen = new X509V2CRLGenerator(); crlgen.setThisUpdate(thisUpdate); crlgen.setNextUpdate(nextUpdate); crlgen.setSignatureAlgorithm(sigAlg); // Make DNs X509Certificate cacert = (X509Certificate) getCACertificate(); if (cacert == null) { // This is an initial root CA, since no CA-certificate exists // (I don't think we can ever get here!!!) X509NameEntryConverter converter = null; if (getUsePrintableStringSubjectDN()) { converter = new PrintableStringEntryConverter(); } else { converter = new X509DefaultEntryConverter(); } X509Name caname = CertTools.stringToBcX509Name(getSubjectDN(), converter, getUseLdapDNOrder()); crlgen.setIssuerDN(caname); } else { crlgen.setIssuerDN(cacert.getSubjectX500Principal()); } if (certs != null) { Iterator<RevokedCertInfo> it = certs.iterator(); while (it.hasNext()) { RevokedCertInfo certinfo = (RevokedCertInfo) it.next(); crlgen.addCRLEntry(certinfo.getUserCertificate(), certinfo.getRevocationDate(), certinfo.getReason()); } } // Authority key identifier if (getUseAuthorityKeyIdentifier() == true) { SubjectPublicKeyInfo apki = new SubjectPublicKeyInfo((ASN1Sequence) new ASN1InputStream( new ByteArrayInputStream(getCAToken().getPublicKey(SecConst.CAKEYPURPOSE_CRLSIGN).getEncoded())) .readObject()); AuthorityKeyIdentifier aki = new AuthorityKeyIdentifier(apki); crlgen.addExtension(X509Extensions.AuthorityKeyIdentifier.getId(), getAuthorityKeyIdentifierCritical(), aki); } // CRLNumber extension if (getUseCRLNumber() == true) { CRLNumber crlnum = new CRLNumber(BigInteger.valueOf(crlnumber)); crlgen.addExtension(X509Extensions.CRLNumber.getId(), this.getCRLNumberCritical(), crlnum); } if (isDeltaCRL) { // DeltaCRLIndicator extension CRLNumber basecrlnum = new CRLNumber(BigInteger.valueOf(basecrlnumber)); crlgen.addExtension(X509Extensions.DeltaCRLIndicator.getId(), true, basecrlnum); } // CRL Distribution point URI and Freshest CRL DP if (getUseCrlDistributionPointOnCrl()) { String crldistpoint = getDefaultCRLDistPoint(); List<DistributionPoint> distpoints = generateDistributionPoints(crldistpoint); if (distpoints.size() > 0) { IssuingDistributionPoint idp = new IssuingDistributionPoint( distpoints.get(0).getDistributionPoint(), false, false, null, false, false); // According to the RFC, IDP must be a critical extension. // Nonetheless, at the moment, Mozilla is not able to correctly // handle the IDP extension and discards the CRL if it is critical. crlgen.addExtension(X509Extensions.IssuingDistributionPoint.getId(), getCrlDistributionPointOnCrlCritical(), idp); } if (!isDeltaCRL) { String crlFreshestDP = getCADefinedFreshestCRL(); List<DistributionPoint> freshestDistPoints = generateDistributionPoints(crlFreshestDP); if (freshestDistPoints.size() > 0) { CRLDistPoint ext = new CRLDistPoint((DistributionPoint[]) freshestDistPoints .toArray(new DistributionPoint[freshestDistPoints.size()])); // According to the RFC, the Freshest CRL extension on a // CRL must not be marked as critical. Therefore it is // hardcoded as not critical and is independent of // getCrlDistributionPointOnCrlCritical(). crlgen.addExtension(X509Extensions.FreshestCRL.getId(), false, ext); } } } X509CRL crl; crl = crlgen.generate(getCAToken().getPrivateKey(SecConst.CAKEYPURPOSE_CRLSIGN), getCAToken().getProvider()); // Verify using the CA certificate before returning // If we can not verify the issued CRL using the CA certificate we don't want to issue this CRL // because something is wrong... PublicKey verifyKey; if (cacert != null) { verifyKey = cacert.getPublicKey(); } else { verifyKey = getCAToken().getPublicKey(SecConst.CAKEYPURPOSE_CRLSIGN); } crl.verify(verifyKey); return crl; }
From source file:org.ejbca.core.model.ca.certextensions.standard.FreshestCrl.java
License:Open Source License
@Override public void init(final CertificateProfile certProf) { super.setOID(X509Extensions.FreshestCRL.getId()); super.setCriticalFlag(false); }
From source file:org.ejbca.core.model.ca.certificateprofiles.CertificateProfileTest.java
License:Open Source License
public void test09CertificateExtensions() throws Exception { log.trace(">test09CertificateExtensions()"); CertificateProfile profile = new CertificateProfile(); // Check standard values for the certificate profile List l = profile.getUsedStandardCertificateExtensions(); assertEquals(l.size(), 5);/*from w w w . j a va 2s . c om*/ assertTrue(l.contains(X509Extensions.KeyUsage.getId())); assertTrue(l.contains(X509Extensions.BasicConstraints.getId())); assertTrue(l.contains(X509Extensions.SubjectKeyIdentifier.getId())); assertTrue(l.contains(X509Extensions.AuthorityKeyIdentifier.getId())); assertTrue(l.contains(X509Extensions.SubjectAlternativeName.getId())); CertificateProfile eprofile = new EndUserCertificateProfile(); // Check standard values for the certificate profile l = eprofile.getUsedStandardCertificateExtensions(); assertEquals(l.size(), 6); assertTrue(l.contains(X509Extensions.KeyUsage.getId())); assertTrue(l.contains(X509Extensions.BasicConstraints.getId())); assertTrue(l.contains(X509Extensions.SubjectKeyIdentifier.getId())); assertTrue(l.contains(X509Extensions.AuthorityKeyIdentifier.getId())); assertTrue(l.contains(X509Extensions.SubjectAlternativeName.getId())); assertTrue(l.contains(X509Extensions.ExtendedKeyUsage.getId())); profile = new CertificateProfile(); profile.setUseAuthorityInformationAccess(true); profile.setUseCertificatePolicies(true); profile.setUseCRLDistributionPoint(true); profile.setUseFreshestCRL(true); profile.setUseMicrosoftTemplate(true); profile.setUseOcspNoCheck(true); profile.setUseQCStatement(true); profile.setUseExtendedKeyUsage(true); profile.setUseSubjectDirAttributes(true); l = profile.getUsedStandardCertificateExtensions(); assertEquals(l.size(), 14); assertTrue(l.contains(X509Extensions.KeyUsage.getId())); assertTrue(l.contains(X509Extensions.BasicConstraints.getId())); assertTrue(l.contains(X509Extensions.SubjectKeyIdentifier.getId())); assertTrue(l.contains(X509Extensions.AuthorityKeyIdentifier.getId())); assertTrue(l.contains(X509Extensions.SubjectAlternativeName.getId())); assertTrue(l.contains(X509Extensions.ExtendedKeyUsage.getId())); assertTrue(l.contains(X509Extensions.AuthorityInfoAccess.getId())); assertTrue(l.contains(X509Extensions.CertificatePolicies.getId())); assertTrue(l.contains(X509Extensions.CRLDistributionPoints.getId())); assertTrue(l.contains(X509Extensions.FreshestCRL.getId())); assertTrue(l.contains(OCSPObjectIdentifiers.id_pkix_ocsp_nocheck.getId())); assertTrue(l.contains(X509Extensions.QCStatements.getId())); assertTrue(l.contains(X509Extensions.SubjectDirectoryAttributes.getId())); assertTrue(l.contains(CertTools.OID_MSTEMPLATE)); }
From source file:test.integ.be.fedict.trust.util.TestUtils.java
License:Open Source License
public static X509CRL generateCrl(PrivateKey issuerPrivateKey, X509Certificate issuerCertificate, DateTime thisUpdate, DateTime nextUpdate, List<String> deltaCrlUris, boolean deltaCrl, List<RevokedCertificate> revokedCertificates, String signatureAlgorithm) throws InvalidKeyException, CRLException, IllegalStateException, NoSuchAlgorithmException, SignatureException, CertificateParsingException { X509V2CRLGenerator crlGenerator = new X509V2CRLGenerator(); crlGenerator.setThisUpdate(thisUpdate.toDate()); crlGenerator.setNextUpdate(nextUpdate.toDate()); crlGenerator.setSignatureAlgorithm(signatureAlgorithm); crlGenerator.setIssuerDN(issuerCertificate.getSubjectX500Principal()); for (RevokedCertificate revokedCertificate : revokedCertificates) { crlGenerator.addCRLEntry(revokedCertificate.serialNumber, revokedCertificate.revocationDate.toDate(), CRLReason.privilegeWithdrawn); }//from w w w . j a v a 2s.c o m crlGenerator.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(issuerCertificate)); crlGenerator.addExtension(X509Extensions.CRLNumber, false, new CRLNumber(BigInteger.ONE)); if (null != deltaCrlUris && !deltaCrlUris.isEmpty()) { DistributionPoint[] deltaCrlDps = new DistributionPoint[deltaCrlUris.size()]; for (int i = 0; i < deltaCrlUris.size(); i++) { deltaCrlDps[i] = getDistributionPoint(deltaCrlUris.get(i)); } CRLDistPoint crlDistPoint = new CRLDistPoint(deltaCrlDps); crlGenerator.addExtension(X509Extensions.FreshestCRL, false, crlDistPoint); } if (deltaCrl) { crlGenerator.addExtension(X509Extensions.DeltaCRLIndicator, true, new CRLNumber(BigInteger.ONE)); } return crlGenerator.generate(issuerPrivateKey); }
From source file:test.unit.be.fedict.trust.TrustTestUtils.java
License:Open Source License
public static X509CRL generateCrl(PrivateKey issuerPrivateKey, X509Certificate issuerCertificate, DateTime thisUpdate, DateTime nextUpdate, List<String> deltaCrlUris, boolean deltaCrl, List<RevokedCertificate> revokedCertificates, String signatureAlgorithm) throws InvalidKeyException, CRLException, IllegalStateException, NoSuchAlgorithmException, SignatureException, CertificateParsingException { X509V2CRLGenerator crlGenerator = new X509V2CRLGenerator(); crlGenerator.setThisUpdate(thisUpdate.toDate()); crlGenerator.setNextUpdate(nextUpdate.toDate()); crlGenerator.setSignatureAlgorithm(signatureAlgorithm); crlGenerator.setIssuerDN(issuerCertificate.getSubjectX500Principal()); for (RevokedCertificate revokedCertificate : revokedCertificates) { crlGenerator.addCRLEntry(revokedCertificate.serialNumber, revokedCertificate.revocationDate.toDate(), CRLReason.privilegeWithdrawn); }/*from ww w. j a v a 2 s . c om*/ crlGenerator.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(issuerCertificate)); crlGenerator.addExtension(X509Extensions.CRLNumber, false, new CRLNumber(BigInteger.ONE)); if (null != deltaCrlUris && !deltaCrlUris.isEmpty()) { DistributionPoint[] deltaCrlDps = new DistributionPoint[deltaCrlUris.size()]; for (int i = 0; i < deltaCrlUris.size(); i++) { deltaCrlDps[i] = getDistributionPoint(deltaCrlUris.get(i)); } CRLDistPoint crlDistPoint = new CRLDistPoint((DistributionPoint[]) deltaCrlDps); crlGenerator.addExtension(X509Extensions.FreshestCRL, false, crlDistPoint); } if (deltaCrl) { crlGenerator.addExtension(X509Extensions.DeltaCRLIndicator, true, new CRLNumber(BigInteger.ONE)); } X509CRL x509Crl = crlGenerator.generate(issuerPrivateKey); return x509Crl; }