List of usage examples for org.bouncycastle.cert X509CRLHolder getEncoded
public byte[] getEncoded() throws IOException
From source file:be.fedict.trust.test.PKITestUtils.java
License:Open Source License
public static X509CRL generateCrl(PrivateKey issuerPrivateKey, X509Certificate issuerCertificate, DateTime thisUpdate, DateTime nextUpdate, List<String> deltaCrlUris, boolean deltaCrl, List<RevokedCertificate> revokedCertificates, String signatureAlgorithm, long numberOfRevokedCertificates) throws InvalidKeyException, CRLException, IllegalStateException, NoSuchAlgorithmException, SignatureException, CertificateException, IOException, OperatorCreationException { X500Name issuerName = new X500Name(issuerCertificate.getSubjectX500Principal().toString()); X509v2CRLBuilder x509v2crlBuilder = new X509v2CRLBuilder(issuerName, thisUpdate.toDate()); x509v2crlBuilder.setNextUpdate(nextUpdate.toDate()); for (RevokedCertificate revokedCertificate : revokedCertificates) { x509v2crlBuilder.addCRLEntry(revokedCertificate.serialNumber, revokedCertificate.revocationDate.toDate(), CRLReason.privilegeWithdrawn); }/*from www. ja va 2s . c o m*/ if (-1 != numberOfRevokedCertificates) { SecureRandom secureRandom = new SecureRandom(); while (numberOfRevokedCertificates-- > 0) { BigInteger serialNumber = new BigInteger(128, secureRandom); Date revocationDate = new Date(); x509v2crlBuilder.addCRLEntry(serialNumber, revocationDate, CRLReason.privilegeWithdrawn); } } JcaX509ExtensionUtils extensionUtils = new JcaX509ExtensionUtils(); x509v2crlBuilder.addExtension(Extension.authorityKeyIdentifier, false, extensionUtils.createAuthorityKeyIdentifier(issuerCertificate)); x509v2crlBuilder.addExtension(Extension.cRLNumber, false, new CRLNumber(BigInteger.ONE)); if (null != deltaCrlUris && !deltaCrlUris.isEmpty()) { DistributionPoint[] deltaCrlDps = new DistributionPoint[deltaCrlUris.size()]; for (int i = 0; i < deltaCrlUris.size(); i++) { deltaCrlDps[i] = getDistributionPoint(deltaCrlUris.get(i)); } CRLDistPoint crlDistPoint = new CRLDistPoint((DistributionPoint[]) deltaCrlDps); x509v2crlBuilder.addExtension(Extension.freshestCRL, false, crlDistPoint); } if (deltaCrl) { x509v2crlBuilder.addExtension(Extension.deltaCRLIndicator, true, new CRLNumber(BigInteger.ONE)); } AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find(signatureAlgorithm); AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId); AsymmetricKeyParameter asymmetricKeyParameter = PrivateKeyFactory.createKey(issuerPrivateKey.getEncoded()); ContentSigner contentSigner = new BcRSAContentSignerBuilder(sigAlgId, digAlgId) .build(asymmetricKeyParameter); X509CRLHolder x509crlHolder = x509v2crlBuilder.build(contentSigner); byte[] crlValue = x509crlHolder.getEncoded(); CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); X509CRL crl = (X509CRL) certificateFactory.generateCRL(new ByteArrayInputStream(crlValue)); return crl; }
From source file:com.gitblit.utils.X509Utils.java
License:Apache License
/** * Creates a new certificate revocation list (CRL). This function will * destroy any existing CRL file.// w w w .ja va 2 s . c om * * @param caRevocationList * @param storeFile * @param keystorePassword * @return */ public static void newCertificateRevocationList(File caRevocationList, File caKeystoreFile, String caKeystorePassword) { try { // read the Gitblit CA key and certificate KeyStore store = openKeyStore(caKeystoreFile, caKeystorePassword); PrivateKey caPrivateKey = (PrivateKey) store.getKey(CA_ALIAS, caKeystorePassword.toCharArray()); X509Certificate caCert = (X509Certificate) store.getCertificate(CA_ALIAS); X500Name issuerDN = new X500Name(PrincipalUtil.getIssuerX509Principal(caCert).getName()); X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuerDN, new Date()); // build and sign CRL with CA private key ContentSigner signer = new JcaContentSignerBuilder(SIGNING_ALGORITHM).setProvider(BC) .build(caPrivateKey); X509CRLHolder crl = crlBuilder.build(signer); File tmpFile = new File(caRevocationList.getParentFile(), Long.toHexString(System.currentTimeMillis()) + ".tmp"); FileOutputStream fos = null; try { fos = new FileOutputStream(tmpFile); fos.write(crl.getEncoded()); fos.flush(); fos.close(); if (caRevocationList.exists()) { caRevocationList.delete(); } tmpFile.renameTo(caRevocationList); } finally { if (fos != null) { fos.close(); } if (tmpFile.exists()) { tmpFile.delete(); } } } catch (Exception e) { throw new RuntimeException("Failed to create new certificate revocation list " + caRevocationList, e); } }
From source file:com.gitblit.utils.X509Utils.java
License:Apache License
/** * Revoke a certificate./*from w w w.j a v a2 s . co m*/ * * @param cert * @param reason * @param caRevocationList * @param caPrivateKey * @param x509log * @return true if the certificate has been revoked */ public static boolean revoke(X509Certificate cert, RevocationReason reason, File caRevocationList, PrivateKey caPrivateKey, X509Log x509log) { try { X500Name issuerDN = new X500Name(PrincipalUtil.getIssuerX509Principal(cert).getName()); X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuerDN, new Date()); if (caRevocationList.exists()) { byte[] data = FileUtils.readContent(caRevocationList); X509CRLHolder crl = new X509CRLHolder(data); crlBuilder.addCRL(crl); } crlBuilder.addCRLEntry(cert.getSerialNumber(), new Date(), reason.ordinal()); // build and sign CRL with CA private key ContentSigner signer = new JcaContentSignerBuilder("SHA1WithRSA").setProvider(BC).build(caPrivateKey); X509CRLHolder crl = crlBuilder.build(signer); File tmpFile = new File(caRevocationList.getParentFile(), Long.toHexString(System.currentTimeMillis()) + ".tmp"); FileOutputStream fos = null; try { fos = new FileOutputStream(tmpFile); fos.write(crl.getEncoded()); fos.flush(); fos.close(); if (caRevocationList.exists()) { caRevocationList.delete(); } tmpFile.renameTo(caRevocationList); } finally { if (fos != null) { fos.close(); } if (tmpFile.exists()) { tmpFile.delete(); } } x509log.log(MessageFormat.format("Revoked certificate {0,number,0} reason: {1} [{2}]", cert.getSerialNumber(), reason.toString(), cert.getSubjectDN().getName())); return true; } catch (IOException | OperatorCreationException | CertificateEncodingException e) { logger.error(MessageFormat.format("Failed to revoke certificate {0,number,0} [{1}] in {2}", cert.getSerialNumber(), cert.getSubjectDN().getName(), caRevocationList)); } return false; }
From source file:dk.itst.oiosaml.sp.IntegrationTests.java
License:Mozilla Public License
private File generateCRL(X509Certificate cert) throws CRLException, NoSuchAlgorithmException, SignatureException, InvalidKeyException, IOException, OperatorCreationException { X500Name issuer = new X500Name("CN=ca"); Date thisUpdate = new Date(); X509v2CRLBuilder gen = new X509v2CRLBuilder(issuer, thisUpdate); gen.setNextUpdate(new Date(System.currentTimeMillis() + 60000)); if (cert != null) { gen.addCRLEntry(cert.getSerialNumber(), new Date(System.currentTimeMillis() - 1000), CRLReason.keyCompromise); }//from w ww .j a va2 s .co m ContentSigner sigGen = new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC") .build(credential.getPrivateKey()); X509CRLHolder crl = gen.build(sigGen); final File crlFile = File.createTempFile("test", "test"); crlFile.deleteOnExit(); FileOutputStream fos = new FileOutputStream(crlFile); IOUtils.write(crl.getEncoded(), fos); fos.close(); return crlFile; }
From source file:fathom.x509.X509Utils.java
License:Apache License
/** * Creates a new certificate revocation list (CRL). This function will * destroy any existing CRL file.// w ww. j a v a 2 s. c o m * * @param caRevocationList * @param caKeystoreFile * @param caKeystorePassword * @return */ public static void newCertificateRevocationList(File caRevocationList, File caKeystoreFile, String caKeystorePassword) { try { // read the Fathom CA key and certificate KeyStore store = openKeyStore(caKeystoreFile, caKeystorePassword); PrivateKey caPrivateKey = (PrivateKey) store.getKey(CA_ALIAS, caKeystorePassword.toCharArray()); X509Certificate caCert = (X509Certificate) store.getCertificate(CA_ALIAS); X500Name issuerDN = new X500Name(PrincipalUtil.getIssuerX509Principal(caCert).getName()); X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuerDN, new Date()); // build and sign CRL with CA private key ContentSigner signer = new JcaContentSignerBuilder(SIGNING_ALGORITHM).setProvider(BC) .build(caPrivateKey); X509CRLHolder crl = crlBuilder.build(signer); File tmpFile = new File(caRevocationList.getParentFile(), Long.toHexString(System.currentTimeMillis()) + ".tmp"); FileOutputStream fos = null; try { fos = new FileOutputStream(tmpFile); fos.write(crl.getEncoded()); fos.flush(); fos.close(); if (caRevocationList.exists()) { caRevocationList.delete(); } tmpFile.renameTo(caRevocationList); } finally { if (fos != null) { fos.close(); } if (tmpFile.exists()) { tmpFile.delete(); } } } catch (Exception e) { throw new RuntimeException("Failed to create new certificate revocation list " + caRevocationList, e); } }
From source file:org.candlepin.util.X509CRLEntryStreamTest.java
License:Open Source License
@Test public void testIterateOverEmptyCrl() throws Exception { X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuer, new Date()); crlBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(keyPair.getPublic())); crlBuilder.addExtension(X509Extension.cRLNumber, false, new CRLNumber(new BigInteger("127"))); X509CRLHolder holder = crlBuilder.build(signer); File noUpdateTimeCrl = new File(folder.getRoot(), "test.crl"); FileUtils.writeByteArrayToFile(noUpdateTimeCrl, holder.getEncoded()); X509CRLEntryStream stream = new X509CRLEntryStream(noUpdateTimeCrl); try {/*from w w w. j a v a 2 s.co m*/ Set<BigInteger> streamedSerials = new HashSet<BigInteger>(); while (stream.hasNext()) { streamedSerials.add(stream.next().getSerialNumber()); } assertEquals(0, streamedSerials.size()); } finally { stream.close(); } }
From source file:org.candlepin.util.X509CRLEntryStreamTest.java
License:Open Source License
@Test public void testIterateOverEmptyCrlWithNoExtensions() throws Exception { X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuer, new Date()); X509CRLHolder holder = crlBuilder.build(signer); File noUpdateTimeCrl = new File(folder.getRoot(), "test.crl"); FileUtils.writeByteArrayToFile(noUpdateTimeCrl, holder.getEncoded()); X509CRLEntryStream stream = new X509CRLEntryStream(noUpdateTimeCrl); thrown.expect(IllegalStateException.class); thrown.expectMessage(matchesPattern("v1.*")); try {//from w w w . j a v a 2s . c om while (stream.hasNext()) { stream.next(); } } finally { stream.close(); } }
From source file:org.candlepin.util.X509CRLEntryStreamTest.java
License:Open Source License
@Test public void testCRLwithoutUpdateTime() throws Exception { X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuer, new Date()); crlBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(keyPair.getPublic())); crlBuilder.addExtension(X509Extension.cRLNumber, false, new CRLNumber(new BigInteger("127"))); crlBuilder.addCRLEntry(new BigInteger("100"), new Date(), CRLReason.unspecified); X509CRLHolder holder = crlBuilder.build(signer); File noUpdateTimeCrl = new File(folder.getRoot(), "test.crl"); FileUtils.writeByteArrayToFile(noUpdateTimeCrl, holder.getEncoded()); X509CRLEntryStream stream = new X509CRLEntryStream(noUpdateTimeCrl); try {//from w w w. j av a 2 s . c o m Set<BigInteger> streamedSerials = new HashSet<BigInteger>(); while (stream.hasNext()) { streamedSerials.add(stream.next().getSerialNumber()); } assertEquals(1, streamedSerials.size()); assertTrue(streamedSerials.contains(new BigInteger("100"))); } finally { stream.close(); } }
From source file:org.candlepin.util.X509CRLStreamWriter.java
License:Open Source License
protected void writeToEmptyCrl(OutputStream out) throws IOException { ASN1InputStream asn1in = null; try {// ww w . ja v a 2s .com asn1in = new ASN1InputStream(crlIn); DERSequence certListSeq = (DERSequence) asn1in.readObject(); CertificateList certList = new CertificateList(certListSeq); X509CRLHolder oldCrl = new X509CRLHolder(certList); X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(oldCrl.getIssuer(), new Date()); crlBuilder.addCRL(oldCrl); Date now = new Date(); Date oldNextUpdate = certList.getNextUpdate().getDate(); Date oldThisUpdate = certList.getThisUpdate().getDate(); Date nextUpdate = new Date(now.getTime() + (oldNextUpdate.getTime() - oldThisUpdate.getTime())); crlBuilder.setNextUpdate(nextUpdate); for (Object o : oldCrl.getExtensionOIDs()) { ASN1ObjectIdentifier oid = (ASN1ObjectIdentifier) o; X509Extension ext = oldCrl.getExtension(oid); if (oid.equals(X509Extension.cRLNumber)) { DEROctetString octet = (DEROctetString) ext.getValue().getDERObject(); DERInteger currentNumber = (DERInteger) DERTaggedObject.fromByteArray(octet.getOctets()); DERInteger nextNumber = new DERInteger(currentNumber.getValue().add(BigInteger.ONE)); crlBuilder.addExtension(oid, ext.isCritical(), nextNumber); } else if (oid.equals(X509Extension.authorityKeyIdentifier)) { crlBuilder.addExtension(oid, ext.isCritical(), new AuthorityKeyIdentifierStructure(ext.getValue().getDEREncoded())); } } for (DERSequence entry : newEntries) { // XXX: This is all a bit messy considering the user already passed in the serial, date // and reason. BigInteger serial = ((DERInteger) entry.getObjectAt(0)).getValue(); Date revokeDate = ((Time) entry.getObjectAt(1)).getDate(); int reason = CRLReason.unspecified; if (entry.size() == 3) { X509Extensions extensions = (X509Extensions) entry.getObjectAt(2); X509Extension reasonExt = extensions.getExtension(X509Extension.reasonCode); if (reasonExt != null) { reason = ((DEREnumerated) reasonExt.getParsedValue()).getValue().intValue(); } } crlBuilder.addCRLEntry(serial, revokeDate, reason); } RSAKeyParameters keyParams = new RSAKeyParameters(true, key.getModulus(), key.getPrivateExponent()); signingAlg = oldCrl.toASN1Structure().getSignatureAlgorithm(); digestAlg = new DefaultDigestAlgorithmIdentifierFinder().find(signingAlg); ContentSigner s; try { s = new BcRSAContentSignerBuilder(signingAlg, digestAlg).build(keyParams); X509CRLHolder newCrl = crlBuilder.build(s); out.write(newCrl.getEncoded()); } catch (OperatorCreationException e) { throw new IOException("Could not sign CRL", e); } } finally { IOUtils.closeQuietly(asn1in); } }
From source file:org.candlepin.util.X509CRLStreamWriterTest.java
License:Open Source License
private File writeCRL(X509CRLHolder crl) throws Exception { File crlToChange = new File(folder.getRoot(), "test.crl"); FileUtils.writeByteArrayToFile(crlToChange, crl.getEncoded()); return crlToChange; }