List of usage examples for org.bouncycastle.cert X509CRLHolder getIssuer
public X500Name getIssuer()
From source file:org.candlepin.util.X509CRLStreamWriter.java
License:Open Source License
protected void writeToEmptyCrl(OutputStream out) throws IOException { ASN1InputStream asn1in = null; try {/* ww w . ja va 2 s. co m*/ asn1in = new ASN1InputStream(crlIn); DERSequence certListSeq = (DERSequence) asn1in.readObject(); CertificateList certList = new CertificateList(certListSeq); X509CRLHolder oldCrl = new X509CRLHolder(certList); X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(oldCrl.getIssuer(), new Date()); crlBuilder.addCRL(oldCrl); Date now = new Date(); Date oldNextUpdate = certList.getNextUpdate().getDate(); Date oldThisUpdate = certList.getThisUpdate().getDate(); Date nextUpdate = new Date(now.getTime() + (oldNextUpdate.getTime() - oldThisUpdate.getTime())); crlBuilder.setNextUpdate(nextUpdate); for (Object o : oldCrl.getExtensionOIDs()) { ASN1ObjectIdentifier oid = (ASN1ObjectIdentifier) o; X509Extension ext = oldCrl.getExtension(oid); if (oid.equals(X509Extension.cRLNumber)) { DEROctetString octet = (DEROctetString) ext.getValue().getDERObject(); DERInteger currentNumber = (DERInteger) DERTaggedObject.fromByteArray(octet.getOctets()); DERInteger nextNumber = new DERInteger(currentNumber.getValue().add(BigInteger.ONE)); crlBuilder.addExtension(oid, ext.isCritical(), nextNumber); } else if (oid.equals(X509Extension.authorityKeyIdentifier)) { crlBuilder.addExtension(oid, ext.isCritical(), new AuthorityKeyIdentifierStructure(ext.getValue().getDEREncoded())); } } for (DERSequence entry : newEntries) { // XXX: This is all a bit messy considering the user already passed in the serial, date // and reason. BigInteger serial = ((DERInteger) entry.getObjectAt(0)).getValue(); Date revokeDate = ((Time) entry.getObjectAt(1)).getDate(); int reason = CRLReason.unspecified; if (entry.size() == 3) { X509Extensions extensions = (X509Extensions) entry.getObjectAt(2); X509Extension reasonExt = extensions.getExtension(X509Extension.reasonCode); if (reasonExt != null) { reason = ((DEREnumerated) reasonExt.getParsedValue()).getValue().intValue(); } } crlBuilder.addCRLEntry(serial, revokeDate, reason); } RSAKeyParameters keyParams = new RSAKeyParameters(true, key.getModulus(), key.getPrivateExponent()); signingAlg = oldCrl.toASN1Structure().getSignatureAlgorithm(); digestAlg = new DefaultDigestAlgorithmIdentifierFinder().find(signingAlg); ContentSigner s; try { s = new BcRSAContentSignerBuilder(signingAlg, digestAlg).build(keyParams); X509CRLHolder newCrl = crlBuilder.build(s); out.write(newCrl.getEncoded()); } catch (OperatorCreationException e) { throw new IOException("Could not sign CRL", e); } } finally { IOUtils.closeQuietly(asn1in); } }
From source file:org.cesecore.certificates.crl.CrlCreateSessionBean.java
License:Open Source License
@Override public byte[] generateAndStoreCRL(AuthenticationToken admin, CA ca, Collection<RevokedCertInfo> certs, int basecrlnumber, int nextCrlNumber) throws CryptoTokenOfflineException, AuthorizationDeniedException { if (log.isTraceEnabled()) { log.trace(">createCRL(Collection)"); }//from w w w .jav a 2s . co m byte[] crlBytes = null; // return value // Check that we are allowed to create CRLs // Authorization for other things, that we have access to the CA has already been done final int caid = ca.getCAId(); authorizedToCreateCRL(admin, caid); try { if ((ca.getStatus() != CAConstants.CA_ACTIVE) && (ca.getStatus() != CAConstants.CA_WAITING_CERTIFICATE_RESPONSE)) { String msg = intres.getLocalizedMessage("createcert.canotactive", ca.getSubjectDN()); throw new CryptoTokenOfflineException(msg); } final X509CRLHolder crl; boolean deltaCRL = (basecrlnumber > -1); final CryptoToken cryptoToken = cryptoTokenManagementSession .getCryptoToken(ca.getCAToken().getCryptoTokenId()); if (cryptoToken == null) { throw new CryptoTokenOfflineException( "Could not find CryptoToken with id " + ca.getCAToken().getCryptoTokenId()); } if (deltaCRL) { // Workaround if transaction handling fails so that crlNumber for deltaCRL would happen to be the same if (nextCrlNumber == basecrlnumber) { nextCrlNumber++; } crl = ca.generateDeltaCRL(cryptoToken, certs, nextCrlNumber, basecrlnumber); } else { crl = ca.generateCRL(cryptoToken, certs, nextCrlNumber); } if (crl != null) { // Store CRL in the database, this can still fail so the whole thing is rolled back String cafp = CertTools.getFingerprintAsString(ca.getCACertificate()); if (log.isDebugEnabled()) { log.debug("Encoding CRL to byte array. Free memory=" + Runtime.getRuntime().freeMemory()); } byte[] tmpcrlBytes = crl.getEncoded(); if (log.isDebugEnabled()) { log.debug("Finished encoding CRL to byte array. Free memory=" + Runtime.getRuntime().freeMemory()); log.debug("Storing CRL in certificate store."); } crlSession.storeCRL(admin, tmpcrlBytes, cafp, nextCrlNumber, crl.getIssuer().toString(), crl.toASN1Structure().getThisUpdate().getDate(), crl.toASN1Structure().getNextUpdate().getDate(), (deltaCRL ? 1 : -1)); String msg = intres.getLocalizedMessage("createcrl.createdcrl", Integer.valueOf(nextCrlNumber), ca.getName(), ca.getSubjectDN()); Map<String, Object> details = new LinkedHashMap<String, Object>(); details.put("msg", msg); logSession.log(EventTypes.CRL_CREATION, EventStatus.SUCCESS, ModuleTypes.CRL, ServiceTypes.CORE, admin.toString(), String.valueOf(caid), null, null, details); // Now all is finished and audit logged, now we are ready to "really" set the return value crlBytes = tmpcrlBytes; } } catch (CryptoTokenOfflineException ctoe) { String msg = intres.getLocalizedMessage("error.catokenoffline", ca.getSubjectDN()); log.info(msg, ctoe); String auditmsg = intres.getLocalizedMessage("createcrl.errorcreate", ca.getName(), ctoe.getMessage()); Map<String, Object> details = new LinkedHashMap<String, Object>(); details.put("msg", auditmsg); logSession.log(EventTypes.CRL_CREATION, EventStatus.FAILURE, ModuleTypes.CRL, ServiceTypes.CORE, admin.toString(), String.valueOf(caid), null, null, details); throw ctoe; } catch (Exception e) { log.info("Error generating CRL: ", e); String msg = intres.getLocalizedMessage("createcrl.errorcreate", ca.getName(), e.getMessage()); Map<String, Object> details = new LinkedHashMap<String, Object>(); details.put("msg", msg); logSession.log(EventTypes.CRL_CREATION, EventStatus.FAILURE, ModuleTypes.CRL, ServiceTypes.CORE, admin.toString(), String.valueOf(caid), null, null, details); if (e instanceof EJBException) { throw (EJBException) e; } throw new EJBException(msg, e); } if (log.isTraceEnabled()) { log.trace("<createCRL(Collection)"); } return crlBytes; }
From source file:org.picketlink.pki.internal.DefaultCertificateAuthority.java
License:Open Source License
@Override public void revoke(CertificateType certificate) { try {/*from ww w. j a v a 2s . c o m*/ X509CRLHolder crlHolder = getCRLHolder(); Date date = new Date(); X509v2CRLBuilder builder = new X509v2CRLBuilder(crlHolder.getIssuer(), date); // Create Date nextUpdate = new Date(date.getTime() + 30 * 24 * 60 * 60 * 1000); // add the existing one into it builder.addCRL(crlHolder); // Add the serial to be revoked builder.addCRLEntry(certificate.getObject().getSerialNumber(), date, CRLReason.privilegeWithdrawn); builder.setNextUpdate(nextUpdate); ContentSigner contentSigner = createSigner(getPartitionKeyPair().getPrivate(), getConfiguration()); X509CRLHolder updatedCRL = builder.build(contentSigner); CertificateRevocationListType certificateRevocationList = getCertificateRevocationList(); certificateRevocationList.setEncoded(Base64.encodeBytes(updatedCRL.getEncoded())); getIdentityManager().update(certificateRevocationList); } catch (Exception e) { throw new RuntimeException("Could not update revocation list.", e); } }