List of usage examples for org.bouncycastle.asn1.x509 X509Extensions IssuingDistributionPoint
ASN1ObjectIdentifier IssuingDistributionPoint
To view the source code for org.bouncycastle.asn1.x509 X509Extensions IssuingDistributionPoint.
Click Source Link
From source file:be.fedict.trust.service.bean.HarvesterMDB.java
License:Open Source License
/** * Returns if the specified CRL is indirect. * //w w w . j ava2 s.c o m * @param crl * the CRL * @return true or false * @throws CRLException * something went wrong reading the * {@link org.bouncycastle.asn1.x509.IssuingDistributionPoint}. */ private boolean isIndirectCRL(X509CRL crl) throws CRLException { byte[] idp = crl.getExtensionValue(X509Extensions.IssuingDistributionPoint.getId()); boolean isIndirect = false; try { if (idp != null) { isIndirect = IssuingDistributionPoint.getInstance(X509ExtensionUtil.fromExtensionValue(idp)) .isIndirectCRL(); } } catch (Exception e) { throw new CRLException("Exception reading IssuingDistributionPoint", e); } return isIndirect; }
From source file:eu.emi.security.authn.x509.helpers.pkipath.bc.RFC3280CertPathUtilitiesHelper.java
License:Open Source License
/** * Checks a distribution point for revocation information for the * certificate <code>cert</code>. * /*www .j ava2s. c o m*/ * @param dp The distribution point to consider. * @param paramsPKIX PKIX parameters. * @param cert Certificate to check if it is revoked. * @param validDate The date when the certificate revocation status * should be checked. * @param defaultCRLSignCert The issuer certificate of the certificate * <code>cert</code>. * @param defaultCRLSignKey The public key of the issuer certificate * <code>defaultCRLSignCert</code>. * @param certStatus The current certificate revocation status. * @param reasonMask The reasons mask which is already checked. * @param certPathCerts The certificates of the certification path. * @throws AnnotatedException if the certificate is revoked or the * status cannot be checked or some error occurs. */ private static void checkCRL(DistributionPoint dp, ExtendedPKIXParameters paramsPKIX, X509Certificate cert, Date validDate, X509Certificate defaultCRLSignCert, PublicKey defaultCRLSignKey, CertStatus certStatus, ReasonsMask reasonMask, List<?> certPathCerts) throws SimpleValidationErrorException { Date currentDate = new Date(System.currentTimeMillis()); if (validDate.getTime() > currentDate.getTime()) { throw new IllegalArgumentException("CRL validation time is in future: " + validDate); } // (a) /* * We always get timely valid CRLs, so there is no step (a) (1). * "locally cached" CRLs are assumed to be in getStore(), * additional CRLs must be enabled in the ExtendedPKIXParameters * and are in getAdditionalStore() */ Set<?> crls = CertPathValidatorUtilities.getCompleteCRLs2(dp, cert, currentDate, paramsPKIX); boolean validCrlFound = false; SimpleValidationErrorException lastException = null; Iterator<?> crl_iter = crls.iterator(); while (crl_iter.hasNext() && certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonMask.isAllReasons()) { try { X509CRL crl = (X509CRL) crl_iter.next(); // (d) ReasonsMask interimReasonsMask = processCRLD2(crl, dp); // (e) /* * The reasons mask is updated at the end, so * only valid CRLs can update it. If this CRL * does not contain new reasons it must be * ignored. */ if (!interimReasonsMask.hasNewReasons(reasonMask)) { continue; } // (f) Set<?> keys = processCRLF2(crl, cert, defaultCRLSignCert, defaultCRLSignKey, paramsPKIX, certPathCerts); // (g) PublicKey key = processCRLG2(crl, keys); X509CRL deltaCRL = null; if (paramsPKIX.isUseDeltasEnabled()) { // get delta CRLs Set<?> deltaCRLs = CertPathValidatorUtilities.getDeltaCRLs2(currentDate, paramsPKIX, crl); // we only want one valid delta CRL // (h) deltaCRL = processCRLH2(deltaCRLs, key); } /* * CRL must be be valid at the current time, not * the validation time. If a certificate is * revoked with reason keyCompromise, * cACompromise, it can be used for forgery, * also for the past. This reason may not be * contained in older CRLs. */ /* * in the chain model signatures stay valid also * after the certificate has been expired, so * they do not have to be in the CRL validity * time */ if (paramsPKIX.getValidityModel() != ExtendedPKIXParameters.CHAIN_VALIDITY_MODEL) { /* * if a certificate has expired, but was * revoked, it is not more in the CRL, * so it would be regarded as valid if * the first check is not done */ if (cert.getNotAfter().getTime() < crl.getThisUpdate().getTime()) { throw new SimpleValidationErrorException(ValidationErrorCode.noValidCrlFound); } } processCRLB1_2(dp, cert, crl); // (b) (2) processCRLB2_2(dp, cert, crl); // (c) processCRLC2(deltaCRL, crl, paramsPKIX); // (i) processCRLI(validDate, deltaCRL, cert, certStatus, paramsPKIX); // (j) processCRLJ(validDate, crl, cert, certStatus); // (k) if (certStatus.getCertStatus() == CRLReason.removeFromCRL) { certStatus.setCertStatus(CertStatus.UNREVOKED); } // update reasons mask reasonMask.addReasons(interimReasonsMask); Set<?> criticalExtensions = crl.getCriticalExtensionOIDs(); if (criticalExtensions != null) { criticalExtensions = new HashSet(criticalExtensions); criticalExtensions.remove(X509Extensions.IssuingDistributionPoint.getId()); criticalExtensions.remove(X509Extensions.DeltaCRLIndicator.getId()); if (!criticalExtensions.isEmpty()) { throw new SimpleValidationErrorException(ValidationErrorCode.crlUnknownCritExt, criticalExtensions.iterator().next()); } } if (deltaCRL != null) { criticalExtensions = deltaCRL.getCriticalExtensionOIDs(); if (criticalExtensions != null) { criticalExtensions = new HashSet(criticalExtensions); criticalExtensions.remove(X509Extensions.IssuingDistributionPoint.getId()); criticalExtensions.remove(X509Extensions.DeltaCRLIndicator.getId()); if (!criticalExtensions.isEmpty()) { throw new SimpleValidationErrorException(ValidationErrorCode.crlUnknownCritExt, criticalExtensions.iterator().next()); } } } validCrlFound = true; } catch (SimpleValidationErrorException e) { lastException = e; } } if (!validCrlFound) { throw lastException; } }
From source file:org.cesecore.certificates.crl.CrlCreateSessionCRLTest.java
License:Open Source License
/** * Tests the extension CRL Distribution Point on CRLs *///from ww w. j a v a 2s.c o m @Test public void testCRLDistPointOnCRL() throws Exception { final String cdpURL = "http://www.ejbca.org/foo/bar.crl"; X509CAInfo cainfo = (X509CAInfo) testx509ca.getCAInfo(); X509CRL x509crl; byte[] cdpDER; cainfo.setUseCrlDistributionPointOnCrl(true); cainfo.setDefaultCRLDistPoint(cdpURL); caSession.editCA(roleMgmgToken, cainfo); crlCreateSession.forceCRL(roleMgmgToken, testx509ca.getCAId()); x509crl = CertTools.getCRLfromByteArray(crlStoreSession.getLastCRL(cainfo.getSubjectDN(), false)); cdpDER = x509crl.getExtensionValue(X509Extensions.IssuingDistributionPoint.getId()); assertNotNull("CRL has no distribution points", cdpDER); ASN1InputStream aIn = new ASN1InputStream(new ByteArrayInputStream(cdpDER)); ASN1OctetString octs = (ASN1OctetString) aIn.readObject(); aIn = new ASN1InputStream(new ByteArrayInputStream(octs.getOctets())); IssuingDistributionPoint cdp = new IssuingDistributionPoint((ASN1Sequence) aIn.readObject()); DistributionPointName distpoint = cdp.getDistributionPoint(); assertEquals("CRL distribution point is different", cdpURL, ((DERIA5String) ((GeneralNames) distpoint.getName()).getNames()[0].getName()).getString()); cainfo.setUseCrlDistributionPointOnCrl(false); cainfo.setDefaultCRLDistPoint(""); caSession.editCA(roleMgmgToken, cainfo); crlCreateSession.forceCRL(roleMgmgToken, testx509ca.getCAId()); x509crl = CertTools.getCRLfromByteArray(crlStoreSession.getLastCRL(cainfo.getSubjectDN(), false)); assertNull("CRL has distribution points", x509crl.getExtensionValue(X509Extensions.CRLDistributionPoints.getId())); }
From source file:org.ejbca.core.ejb.ca.crl.CreateCRLSessionTest.java
License:Open Source License
/** * Tests the extension CRL Distribution Point on CRLs * /*from w w w . j ava 2 s . c om*/ * @throws Exception * error */ public void test06CRLDistPointOnCRL() throws Exception { log.trace(">test06CRLDistPointOnCRL()"); final String cdpURL = "http://www.ejbca.org/foo/bar.crl"; X509CAInfo cainfo = (X509CAInfo) ca.getCAInfo(); X509CRL x509crl; byte[] cdpDER; cainfo.setUseCrlDistributionPointOnCrl(true); cainfo.setDefaultCRLDistPoint(cdpURL); caAdminSession.editCA(admin, cainfo); ca = caSession.getCA(admin, caid); crlCreateSession.run(admin, ca); x509crl = CertTools.getCRLfromByteArray(crlSession.getLastCRL(admin, cainfo.getSubjectDN(), false)); cdpDER = x509crl.getExtensionValue(X509Extensions.IssuingDistributionPoint.getId()); assertNotNull("CRL has no distribution points", cdpDER); ASN1InputStream aIn = new ASN1InputStream(new ByteArrayInputStream(cdpDER)); ASN1OctetString octs = (ASN1OctetString) aIn.readObject(); aIn = new ASN1InputStream(new ByteArrayInputStream(octs.getOctets())); IssuingDistributionPoint cdp = new IssuingDistributionPoint((ASN1Sequence) aIn.readObject()); DistributionPointName distpoint = cdp.getDistributionPoint(); assertEquals("CRL distribution point is different", cdpURL, ((DERIA5String) ((GeneralNames) distpoint.getName()).getNames()[0].getName()).getString()); cainfo.setUseCrlDistributionPointOnCrl(false); cainfo.setDefaultCRLDistPoint(""); caAdminSession.editCA(admin, cainfo); ca = caSession.getCA(admin, caid); crlCreateSession.run(admin, ca); x509crl = CertTools.getCRLfromByteArray(crlSession.getLastCRL(admin, cainfo.getSubjectDN(), false)); assertNull("CRL has distribution points", x509crl.getExtensionValue(X509Extensions.CRLDistributionPoints.getId())); log.trace("<test06CRLDistPointOnCRL()"); }
From source file:org.ejbca.core.model.ca.caadmin.X509CA.java
License:Open Source License
/** Generate a CRL or a deltaCRL * /*from w w w.j a va 2s .c o m*/ * @param certs list of revoked certificates * @param crlnumber CRLNumber for this CRL * @param isDeltaCRL true if we should generate a DeltaCRL * @param basecrlnumber caseCRLNumber for a delta CRL, use 0 for full CRLs * @param certProfile certificate profile for CRL Distribution point in the CRL, or null * @return CRL * @throws CATokenOfflineException * @throws IllegalKeyStoreException * @throws IOException * @throws SignatureException * @throws NoSuchProviderException * @throws InvalidKeyException * @throws CRLException * @throws NoSuchAlgorithmException */ private CRL generateCRL(Collection<RevokedCertInfo> certs, long crlPeriod, int crlnumber, boolean isDeltaCRL, int basecrlnumber) throws CATokenOfflineException, IllegalKeyStoreException, IOException, SignatureException, NoSuchProviderException, InvalidKeyException, CRLException, NoSuchAlgorithmException { final String sigAlg = getCAInfo().getCATokenInfo().getSignatureAlgorithm(); if (log.isDebugEnabled()) { log.debug("generateCRL(" + certs.size() + ", " + crlPeriod + ", " + crlnumber + ", " + isDeltaCRL + ", " + basecrlnumber); } Date thisUpdate = new Date(); Date nextUpdate = new Date(); nextUpdate.setTime(nextUpdate.getTime() + crlPeriod); X509V2CRLGenerator crlgen = new X509V2CRLGenerator(); crlgen.setThisUpdate(thisUpdate); crlgen.setNextUpdate(nextUpdate); crlgen.setSignatureAlgorithm(sigAlg); // Make DNs X509Certificate cacert = (X509Certificate) getCACertificate(); if (cacert == null) { // This is an initial root CA, since no CA-certificate exists // (I don't think we can ever get here!!!) X509NameEntryConverter converter = null; if (getUsePrintableStringSubjectDN()) { converter = new PrintableStringEntryConverter(); } else { converter = new X509DefaultEntryConverter(); } X509Name caname = CertTools.stringToBcX509Name(getSubjectDN(), converter, getUseLdapDNOrder()); crlgen.setIssuerDN(caname); } else { crlgen.setIssuerDN(cacert.getSubjectX500Principal()); } if (certs != null) { Iterator<RevokedCertInfo> it = certs.iterator(); while (it.hasNext()) { RevokedCertInfo certinfo = (RevokedCertInfo) it.next(); crlgen.addCRLEntry(certinfo.getUserCertificate(), certinfo.getRevocationDate(), certinfo.getReason()); } } // Authority key identifier if (getUseAuthorityKeyIdentifier() == true) { SubjectPublicKeyInfo apki = new SubjectPublicKeyInfo((ASN1Sequence) new ASN1InputStream( new ByteArrayInputStream(getCAToken().getPublicKey(SecConst.CAKEYPURPOSE_CRLSIGN).getEncoded())) .readObject()); AuthorityKeyIdentifier aki = new AuthorityKeyIdentifier(apki); crlgen.addExtension(X509Extensions.AuthorityKeyIdentifier.getId(), getAuthorityKeyIdentifierCritical(), aki); } // CRLNumber extension if (getUseCRLNumber() == true) { CRLNumber crlnum = new CRLNumber(BigInteger.valueOf(crlnumber)); crlgen.addExtension(X509Extensions.CRLNumber.getId(), this.getCRLNumberCritical(), crlnum); } if (isDeltaCRL) { // DeltaCRLIndicator extension CRLNumber basecrlnum = new CRLNumber(BigInteger.valueOf(basecrlnumber)); crlgen.addExtension(X509Extensions.DeltaCRLIndicator.getId(), true, basecrlnum); } // CRL Distribution point URI and Freshest CRL DP if (getUseCrlDistributionPointOnCrl()) { String crldistpoint = getDefaultCRLDistPoint(); List<DistributionPoint> distpoints = generateDistributionPoints(crldistpoint); if (distpoints.size() > 0) { IssuingDistributionPoint idp = new IssuingDistributionPoint( distpoints.get(0).getDistributionPoint(), false, false, null, false, false); // According to the RFC, IDP must be a critical extension. // Nonetheless, at the moment, Mozilla is not able to correctly // handle the IDP extension and discards the CRL if it is critical. crlgen.addExtension(X509Extensions.IssuingDistributionPoint.getId(), getCrlDistributionPointOnCrlCritical(), idp); } if (!isDeltaCRL) { String crlFreshestDP = getCADefinedFreshestCRL(); List<DistributionPoint> freshestDistPoints = generateDistributionPoints(crlFreshestDP); if (freshestDistPoints.size() > 0) { CRLDistPoint ext = new CRLDistPoint((DistributionPoint[]) freshestDistPoints .toArray(new DistributionPoint[freshestDistPoints.size()])); // According to the RFC, the Freshest CRL extension on a // CRL must not be marked as critical. Therefore it is // hardcoded as not critical and is independent of // getCrlDistributionPointOnCrlCritical(). crlgen.addExtension(X509Extensions.FreshestCRL.getId(), false, ext); } } } X509CRL crl; crl = crlgen.generate(getCAToken().getPrivateKey(SecConst.CAKEYPURPOSE_CRLSIGN), getCAToken().getProvider()); // Verify using the CA certificate before returning // If we can not verify the issued CRL using the CA certificate we don't want to issue this CRL // because something is wrong... PublicKey verifyKey; if (cacert != null) { verifyKey = cacert.getPublicKey(); } else { verifyKey = getCAToken().getPublicKey(SecConst.CAKEYPURPOSE_CRLSIGN); } crl.verify(verifyKey); return crl; }
From source file:org.glite.security.util.FileCRLChecker.java
License:Apache License
/** * Checks the extension with given OID.//from www . ja v a2s . com * * @param oid The oid of the extension to check. * @throws CertificateException thrown in case there is problems with the certificate handling. * @throws IOException thrown in case the extension parsing fails. */ private void checkExtension(String oid) throws CertificateException, IOException { if (oid.equals(X509Extensions.DeltaCRLIndicator.getId())) { LOGGER.debug("Found DeltaCRLIndicator extension that can't be supported."); throw new CertificateException("Usupported critical extension in CRL: DeltaCRLIndicator"); } if (oid.equals(X509Extensions.IssuingDistributionPoint.toString())) { checkIssuinDistributionPoint(); return; } throw new CertificateException("Unrecognized critical extension in CRL: " + oid); }
From source file:org.glite.security.util.FileCRLChecker.java
License:Apache License
/** * Checks the issuerDistributionPoint extension, whether it contains unsupported information. * /* www .jav a 2 s.c o m*/ * @throws CertificateException thrown in case there is problems with the certificate handling. * @throws IOException thrown in case the extension parsing fails. */ private void checkIssuinDistributionPoint() throws CertificateException, IOException { byte extensionBytes[] = m_crl.getExtensionValue(X509Extensions.IssuingDistributionPoint.toString()); ASN1Object object = ASN1Object.fromByteArray(extensionBytes); if (!(object instanceof DEROctetString)) { throw new CertificateException( "Invalid data in IssuingDistributionPoint extension, not DEROctetString"); } DEROctetString string = (DEROctetString) object; object = ASN1Object.fromByteArray(string.getOctets()); if (!(object instanceof ASN1Sequence)) { throw new CertificateException("Invalid data in IssuingDistributionPoint extension, not ASN1Sequence"); } IssuingDistributionPoint issuingDistributionPoint = new IssuingDistributionPoint((ASN1Sequence) object); if (issuingDistributionPoint.onlyContainsAttributeCerts()) { throw new CertificateException("CRL only contains attribute certs, not useful for authentication."); } if (issuingDistributionPoint.getOnlySomeReasons() != null) { throw new CertificateException( "CRL only contains some reasons of revocations, can't trust the certificates without other complementing CRL(s), which is not supported."); } }
From source file:org.signserver.validationservice.server.ValidationTestUtils.java
License:Open Source License
public static X509CRL genCRL(X509Certificate cacert, PrivateKey privKey, DistributionPoint dp, Collection<RevokedCertInfo> certs, int crlPeriod, int crlnumber) throws CATokenOfflineException, IllegalKeyStoreException, IOException, SignatureException, NoSuchProviderException, InvalidKeyException, CRLException, NoSuchAlgorithmException { final String sigAlg = "SHA1WithRSA"; boolean crlDistributionPointOnCrlCritical = true; boolean crlNumberCritical = false; Date thisUpdate = new Date(); Date nextUpdate = new Date(); // crlperiod is hours = crlperiod*60*60*1000 milliseconds nextUpdate.setTime(nextUpdate.getTime() + (crlPeriod * (long) (60 * 60 * 1000))); X509V2CRLGenerator crlgen = new X509V2CRLGenerator(); crlgen.setThisUpdate(thisUpdate);//from www . java2 s . c o m crlgen.setNextUpdate(nextUpdate); crlgen.setSignatureAlgorithm(sigAlg); CRLNumber crlnum = new CRLNumber(BigInteger.valueOf(crlnumber)); crlgen.addExtension(X509Extensions.CRLNumber.getId(), crlNumberCritical, crlnum); // Make DNs crlgen.setIssuerDN(cacert.getSubjectX500Principal()); if (certs != null) { Iterator<RevokedCertInfo> it = certs.iterator(); while (it.hasNext()) { RevokedCertInfo certinfo = it.next(); crlgen.addCRLEntry(certinfo.getUserCertificate(), certinfo.getRevocationDate(), certinfo.getReason()); } } // CRL Distribution point URI IssuingDistributionPoint idp = new IssuingDistributionPoint(dp.getDistributionPoint(), false, false, null, false, false); // According to the RFC, IDP must be a critical extension. // Nonetheless, at the moment, Mozilla is not able to correctly // handle the IDP extension and discards the CRL if it is critical. crlgen.addExtension(X509Extensions.IssuingDistributionPoint.getId(), crlDistributionPointOnCrlCritical, idp); X509CRL crl; crl = crlgen.generate(privKey, "BC"); // Verify before sending back crl.verify(cacert.getPublicKey()); return crl; }