List of usage examples for org.bouncycastle.cert X509CRLHolder X509CRLHolder
public X509CRLHolder(CertificateList x509CRL)
From source file:com.gitblit.utils.X509Utils.java
License:Apache License
/** * Revoke a certificate.//w ww . j a v a 2 s. c o m * * @param cert * @param reason * @param caRevocationList * @param caPrivateKey * @param x509log * @return true if the certificate has been revoked */ public static boolean revoke(X509Certificate cert, RevocationReason reason, File caRevocationList, PrivateKey caPrivateKey, X509Log x509log) { try { X500Name issuerDN = new X500Name(PrincipalUtil.getIssuerX509Principal(cert).getName()); X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuerDN, new Date()); if (caRevocationList.exists()) { byte[] data = FileUtils.readContent(caRevocationList); X509CRLHolder crl = new X509CRLHolder(data); crlBuilder.addCRL(crl); } crlBuilder.addCRLEntry(cert.getSerialNumber(), new Date(), reason.ordinal()); // build and sign CRL with CA private key ContentSigner signer = new JcaContentSignerBuilder("SHA1WithRSA").setProvider(BC).build(caPrivateKey); X509CRLHolder crl = crlBuilder.build(signer); File tmpFile = new File(caRevocationList.getParentFile(), Long.toHexString(System.currentTimeMillis()) + ".tmp"); FileOutputStream fos = null; try { fos = new FileOutputStream(tmpFile); fos.write(crl.getEncoded()); fos.flush(); fos.close(); if (caRevocationList.exists()) { caRevocationList.delete(); } tmpFile.renameTo(caRevocationList); } finally { if (fos != null) { fos.close(); } if (tmpFile.exists()) { tmpFile.delete(); } } x509log.log(MessageFormat.format("Revoked certificate {0,number,0} reason: {1} [{2}]", cert.getSerialNumber(), reason.toString(), cert.getSubjectDN().getName())); return true; } catch (IOException | OperatorCreationException | CertificateEncodingException e) { logger.error(MessageFormat.format("Failed to revoke certificate {0,number,0} [{1}] in {2}", cert.getSerialNumber(), cert.getSubjectDN().getName(), caRevocationList)); } return false; }
From source file:de.carne.certmgr.store.provider.bouncycastle.BouncyCastleStoreProvider.java
License:Open Source License
@Override public X509CRL generateAndSignCRL(X509CRL currentCRL, X509CRLParams crlParams, Map<BigInteger, RevokeReason> revokeSerials, KeyPair issuerKey, X509Certificate issuerCRT) throws IOException, GeneralSecurityException { Date lastUpdate = Date .from(crlParams.getLastUpdate().atStartOfDay().atZone(ZoneId.systemDefault()).toInstant()); JcaX509v2CRLBuilder crlBuilder = new JcaX509v2CRLBuilder(issuerCRT.getSubjectX500Principal(), lastUpdate); LocalDate nextUpdateParam = crlParams.getNextUpdate(); if (nextUpdateParam != null) { crlBuilder.setNextUpdate(//from w w w . jav a2 s . c om Date.from(nextUpdateParam.atStartOfDay().atZone(ZoneId.systemDefault()).toInstant())); } CRLNumber crlNumber; if (currentCRL != null) { X509CRLHolder crlHolder = new X509CRLHolder(currentCRL.getEncoded()); ASN1Integer currentSerial = (ASN1Integer) crlHolder.getExtension(Extension.cRLNumber).getParsedValue(); crlNumber = new CRLNumber(currentSerial.getValue().add(BigInteger.ONE)); } else { crlNumber = new CRLNumber(BigInteger.ONE); } for (Map.Entry<BigInteger, RevokeReason> revokeListEntry : revokeSerials.entrySet()) { crlBuilder.addCRLEntry(revokeListEntry.getKey(), lastUpdate, revokeListEntry.getValue().value()); } JcaX509ExtensionUtils extensionUtils = new JcaX509ExtensionUtils(); crlBuilder.addExtension(Extension.authorityKeyIdentifier, false, extensionUtils.createAuthorityKeyIdentifier(issuerCRT.getPublicKey())); crlBuilder.addExtension(Extension.cRLNumber, false, crlNumber); ContentSigner crlSigner; try { crlSigner = new JcaContentSignerBuilder(crlParams.getSigAlg()).build(issuerKey.getPrivate()); } catch (OperatorCreationException e) { throw new StoreProviderException(e.getMessage(), e); } return new JcaX509CRLConverter().getCRL(crlBuilder.build(crlSigner)); }
From source file:eu.europa.ec.markt.dss.validation102853.crl.CRLToken.java
License:Open Source License
/** * @return the a copy of x509crl as a X509CRLHolder *//* w w w. j ava 2 s .c o m*/ public X509CRLHolder getX509CrlHolder() { try { final X509CRL x509crl = getX509crl(); final TBSCertList tbsCertList = TBSCertList.getInstance(x509crl.getTBSCertList()); final AlgorithmIdentifier sigAlgOID = new AlgorithmIdentifier( new ASN1ObjectIdentifier(x509crl.getSigAlgOID())); final byte[] signature = x509crl.getSignature(); final X509CRLHolder x509crlHolder = new X509CRLHolder(new CertificateList( new DERSequence(new ASN1Encodable[] { tbsCertList, sigAlgOID, new DERBitString(signature) }))); return x509crlHolder; } catch (CRLException e) { throw new DSSException(e); } }
From source file:eu.europa.esig.dss.cades.signature.CAdESLevelBaselineLT.java
License:Open Source License
/** * @return the a copy of x509crl as a X509CRLHolder *///from w w w.j a v a 2 s . c o m private X509CRLHolder getX509CrlHolder(CRLToken crlToken) { try { final X509CRL x509crl = crlToken.getX509crl(); final TBSCertList tbsCertList = TBSCertList.getInstance(x509crl.getTBSCertList()); final AlgorithmIdentifier sigAlgOID = new AlgorithmIdentifier( new ASN1ObjectIdentifier(x509crl.getSigAlgOID())); final byte[] signature = x509crl.getSignature(); final DERSequence seq = new DERSequence( new ASN1Encodable[] { tbsCertList, sigAlgOID, new DERBitString(signature) }); final CertificateList x509CRL = new CertificateList(seq); // final CertificateList x509CRL = new // CertificateList.getInstance((Object)seq); final X509CRLHolder x509crlHolder = new X509CRLHolder(x509CRL); return x509crlHolder; } catch (CRLException e) { throw new DSSException(e); } }
From source file:eu.europa.esig.dss.x509.crl.CRLToken.java
License:Open Source License
/** * @return the a copy of x509crl as a X509CRLHolder */// w w w . j a v a2 s .c om public X509CRLHolder getX509CrlHolder() { try { final X509CRL x509crl = getX509crl(); final TBSCertList tbsCertList = TBSCertList.getInstance(x509crl.getTBSCertList()); final AlgorithmIdentifier sigAlgOID = new AlgorithmIdentifier( new ASN1ObjectIdentifier(x509crl.getSigAlgOID())); final byte[] signature = x509crl.getSignature(); final DERSequence seq = new DERSequence( new ASN1Encodable[] { tbsCertList, sigAlgOID, new DERBitString(signature) }); final CertificateList x509CRL = new CertificateList(seq); // final CertificateList x509CRL = new // CertificateList.getInstance((Object)seq); final X509CRLHolder x509crlHolder = new X509CRLHolder(x509CRL); return x509crlHolder; } catch (CRLException e) { throw new DSSException(e); } }
From source file:mitm.common.security.crl.X509CRLBuilderImpl.java
License:Open Source License
@Override public X509CRL generateCRL(KeyAndCertificate issuer) throws CRLException { Check.notNull(issuer, "issuer"); Check.notNull(issuer.getCertificate(), "issuer#certificate"); Check.notNull(thisUpdate, "thisUpdate"); try {/*from w w w.java 2s. c o m*/ X509v2CRLBuilder builder = new X509v2CRLBuilder( X500PrincipalUtils.toX500Name(issuer.getCertificate().getSubjectX500Principal()), thisUpdate); if (CollectionUtils.isNotEmpty(crls)) { for (X509CRL crl : crls) { builder.addCRL(new X509CRLHolder(crl.getEncoded())); } } if (CollectionUtils.isNotEmpty(entries)) { for (Entry entry : entries) { builder.addCRLEntry(entry.serialNumber, entry.revocationDate, entry.reason); } } if (nextUpdate != null) { builder.setNextUpdate(nextUpdate); } return getX509CRL(builder.build(getContentSigner(issuer.getPrivateKey()))); } catch (IllegalStateException e) { throw new CRLException(e); } catch (IOException e) { throw new CRLException(e); } catch (OperatorCreationException e) { throw new CRLException(e); } }
From source file:org.candlepin.CRLWriteBenchmark.java
License:Open Source License
@Benchmark
@Fork(value = 1, jvmArgsAppend = { "-Xloggc:gc_in_memory_write.log", "-verbose:gc", "-XX:+PrintGCDetails",
"-XX:+PrintGCTimeStamps" })
public void inMemory() {
ASN1InputStream stream = null;
try {/*ww w. ja v a 2 s .c om*/
stream = new ASN1InputStream(new BufferedInputStream(new FileInputStream(crlFile)));
DERObject o = stream.readObject();
X509CRLHolder oldCrl = new X509CRLHolder(o.getDEREncoded());
X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuer, new Date());
crlBuilder.addCRL(oldCrl);
crlBuilder.addCRLEntry(new BigInteger("25000000000"), new Date(), CRLReason.unspecified);
X509CRLHolder holder = crlBuilder.build(signer);
X509CRL crl = new JcaX509CRLConverter().setProvider(bc).getCRL(holder);
File newCrlFile = File.createTempFile("new_crl", ".der");
FileUtils.writeByteArrayToFile(newCrlFile, crl.getEncoded());
System.out.println("\nWrote new crl to " + newCrlFile.getAbsolutePath());
} catch (Exception e) {
e.printStackTrace();
} finally {
if (stream != null) {
try {
stream.close();
} catch (IOException e) {
e.printStackTrace();
}
}
}
}
From source file:org.candlepin.util.X509CRLStreamWriter.java
License:Open Source License
protected void writeToEmptyCrl(OutputStream out) throws IOException { ASN1InputStream asn1in = null; try {/*from w w w . jav a2 s . c o m*/ asn1in = new ASN1InputStream(crlIn); DERSequence certListSeq = (DERSequence) asn1in.readObject(); CertificateList certList = new CertificateList(certListSeq); X509CRLHolder oldCrl = new X509CRLHolder(certList); X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(oldCrl.getIssuer(), new Date()); crlBuilder.addCRL(oldCrl); Date now = new Date(); Date oldNextUpdate = certList.getNextUpdate().getDate(); Date oldThisUpdate = certList.getThisUpdate().getDate(); Date nextUpdate = new Date(now.getTime() + (oldNextUpdate.getTime() - oldThisUpdate.getTime())); crlBuilder.setNextUpdate(nextUpdate); for (Object o : oldCrl.getExtensionOIDs()) { ASN1ObjectIdentifier oid = (ASN1ObjectIdentifier) o; X509Extension ext = oldCrl.getExtension(oid); if (oid.equals(X509Extension.cRLNumber)) { DEROctetString octet = (DEROctetString) ext.getValue().getDERObject(); DERInteger currentNumber = (DERInteger) DERTaggedObject.fromByteArray(octet.getOctets()); DERInteger nextNumber = new DERInteger(currentNumber.getValue().add(BigInteger.ONE)); crlBuilder.addExtension(oid, ext.isCritical(), nextNumber); } else if (oid.equals(X509Extension.authorityKeyIdentifier)) { crlBuilder.addExtension(oid, ext.isCritical(), new AuthorityKeyIdentifierStructure(ext.getValue().getDEREncoded())); } } for (DERSequence entry : newEntries) { // XXX: This is all a bit messy considering the user already passed in the serial, date // and reason. BigInteger serial = ((DERInteger) entry.getObjectAt(0)).getValue(); Date revokeDate = ((Time) entry.getObjectAt(1)).getDate(); int reason = CRLReason.unspecified; if (entry.size() == 3) { X509Extensions extensions = (X509Extensions) entry.getObjectAt(2); X509Extension reasonExt = extensions.getExtension(X509Extension.reasonCode); if (reasonExt != null) { reason = ((DEREnumerated) reasonExt.getParsedValue()).getValue().intValue(); } } crlBuilder.addCRLEntry(serial, revokeDate, reason); } RSAKeyParameters keyParams = new RSAKeyParameters(true, key.getModulus(), key.getPrivateExponent()); signingAlg = oldCrl.toASN1Structure().getSignatureAlgorithm(); digestAlg = new DefaultDigestAlgorithmIdentifierFinder().find(signingAlg); ContentSigner s; try { s = new BcRSAContentSignerBuilder(signingAlg, digestAlg).build(keyParams); X509CRLHolder newCrl = crlBuilder.build(s); out.write(newCrl.getEncoded()); } catch (OperatorCreationException e) { throw new IOException("Could not sign CRL", e); } } finally { IOUtils.closeQuietly(asn1in); } }
From source file:org.cryptable.pki.communication.PKICMPMessages.java
License:Open Source License
X509CRL processRevocation(PKIBody pkiBody) throws CRLException { JcaX509CRLConverter jcaX509CRLConverter = new JcaX509CRLConverter(); RevRepContent revRepContent = RevRepContent.getInstance(pkiBody.getContent()); return jcaX509CRLConverter.getCRL(new X509CRLHolder(revRepContent.getCrls()[0])); }
From source file:org.jruby.ext.openssl.SecurityHelper.java
License:Open Source License
static boolean verify(final X509CRL crl, final PublicKey publicKey, final boolean silent) throws NoSuchAlgorithmException, CRLException, InvalidKeyException, SignatureException { if (crl instanceof X509CRLObject) { final CertificateList crlList = (CertificateList) getCertificateList(crl); final AlgorithmIdentifier tbsSignatureId = crlList.getTBSCertList().getSignature(); if (!crlList.getSignatureAlgorithm().equals(tbsSignatureId)) { if (silent) return false; throw new CRLException("Signature algorithm on CertificateList does not match TBSCertList."); }/*from www . j a va 2 s . c o m*/ final Signature signature = getSignature(crl.getSigAlgName(), securityProvider); signature.initVerify(publicKey); signature.update(crl.getTBSCertList()); if (!signature.verify(crl.getSignature())) { if (silent) return false; throw new SignatureException("CRL does not verify with supplied public key."); } return true; } else { try { final DigestAlgorithmIdentifierFinder digestAlgFinder = new DefaultDigestAlgorithmIdentifierFinder(); final ContentVerifierProvider verifierProvider; if ("DSA".equalsIgnoreCase(publicKey.getAlgorithm())) { BigInteger y = ((DSAPublicKey) publicKey).getY(); DSAParams params = ((DSAPublicKey) publicKey).getParams(); DSAParameters parameters = new DSAParameters(params.getP(), params.getQ(), params.getG()); AsymmetricKeyParameter dsaKey = new DSAPublicKeyParameters(y, parameters); verifierProvider = new BcDSAContentVerifierProviderBuilder(digestAlgFinder).build(dsaKey); } else { BigInteger mod = ((RSAPublicKey) publicKey).getModulus(); BigInteger exp = ((RSAPublicKey) publicKey).getPublicExponent(); AsymmetricKeyParameter rsaKey = new RSAKeyParameters(false, mod, exp); verifierProvider = new BcRSAContentVerifierProviderBuilder(digestAlgFinder).build(rsaKey); } return new X509CRLHolder(crl.getEncoded()).isSignatureValid(verifierProvider); } catch (OperatorException e) { throw new SignatureException(e); } catch (CertException e) { throw new SignatureException(e); } // can happen if the input is DER but does not match expected strucure catch (ClassCastException e) { throw new SignatureException(e); } catch (IOException e) { throw new SignatureException(e); } } }