List of usage examples for org.bouncycastle.cert X509v2CRLBuilder addCRL
public X509v2CRLBuilder addCRL(X509CRLHolder other)
From source file:com.gitblit.utils.X509Utils.java
License:Apache License
/** * Revoke a certificate./*from ww w . ja v a 2 s.c o m*/ * * @param cert * @param reason * @param caRevocationList * @param caPrivateKey * @param x509log * @return true if the certificate has been revoked */ public static boolean revoke(X509Certificate cert, RevocationReason reason, File caRevocationList, PrivateKey caPrivateKey, X509Log x509log) { try { X500Name issuerDN = new X500Name(PrincipalUtil.getIssuerX509Principal(cert).getName()); X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuerDN, new Date()); if (caRevocationList.exists()) { byte[] data = FileUtils.readContent(caRevocationList); X509CRLHolder crl = new X509CRLHolder(data); crlBuilder.addCRL(crl); } crlBuilder.addCRLEntry(cert.getSerialNumber(), new Date(), reason.ordinal()); // build and sign CRL with CA private key ContentSigner signer = new JcaContentSignerBuilder("SHA1WithRSA").setProvider(BC).build(caPrivateKey); X509CRLHolder crl = crlBuilder.build(signer); File tmpFile = new File(caRevocationList.getParentFile(), Long.toHexString(System.currentTimeMillis()) + ".tmp"); FileOutputStream fos = null; try { fos = new FileOutputStream(tmpFile); fos.write(crl.getEncoded()); fos.flush(); fos.close(); if (caRevocationList.exists()) { caRevocationList.delete(); } tmpFile.renameTo(caRevocationList); } finally { if (fos != null) { fos.close(); } if (tmpFile.exists()) { tmpFile.delete(); } } x509log.log(MessageFormat.format("Revoked certificate {0,number,0} reason: {1} [{2}]", cert.getSerialNumber(), reason.toString(), cert.getSubjectDN().getName())); return true; } catch (IOException | OperatorCreationException | CertificateEncodingException e) { logger.error(MessageFormat.format("Failed to revoke certificate {0,number,0} [{1}] in {2}", cert.getSerialNumber(), cert.getSubjectDN().getName(), caRevocationList)); } return false; }
From source file:mitm.common.security.crl.X509CRLBuilderImpl.java
License:Open Source License
@Override public X509CRL generateCRL(KeyAndCertificate issuer) throws CRLException { Check.notNull(issuer, "issuer"); Check.notNull(issuer.getCertificate(), "issuer#certificate"); Check.notNull(thisUpdate, "thisUpdate"); try {// w w w . j av a2 s .co m X509v2CRLBuilder builder = new X509v2CRLBuilder( X500PrincipalUtils.toX500Name(issuer.getCertificate().getSubjectX500Principal()), thisUpdate); if (CollectionUtils.isNotEmpty(crls)) { for (X509CRL crl : crls) { builder.addCRL(new X509CRLHolder(crl.getEncoded())); } } if (CollectionUtils.isNotEmpty(entries)) { for (Entry entry : entries) { builder.addCRLEntry(entry.serialNumber, entry.revocationDate, entry.reason); } } if (nextUpdate != null) { builder.setNextUpdate(nextUpdate); } return getX509CRL(builder.build(getContentSigner(issuer.getPrivateKey()))); } catch (IllegalStateException e) { throw new CRLException(e); } catch (IOException e) { throw new CRLException(e); } catch (OperatorCreationException e) { throw new CRLException(e); } }
From source file:org.apache.hadoop.security.ssl.KeyStoreTestUtil.java
License:Apache License
public static X509CRL generateCRL(X509Certificate caCert, PrivateKey caPrivateKey, String signAlgorith, X509CRL existingCRL, BigInteger serialNumberToRevoke) throws GeneralSecurityException { LocalDate currentTime = LocalDate.now(); Date nowDate = Date.from(currentTime.atStartOfDay(ZoneId.systemDefault()).toInstant()); LocalDate nextUpdate = currentTime.plus(1, ChronoUnit.WEEKS); Date nextUpdateDate = Date.from(nextUpdate.atStartOfDay(ZoneId.systemDefault()).toInstant()); X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(new X500Name(caCert.getSubjectX500Principal().getName()), nowDate);/* w w w . j a va 2s. c om*/ crlBuilder.setNextUpdate(nextUpdateDate); if (existingCRL != null) { crlBuilder.addCRL(new JcaX509CRLHolder(existingCRL)); } if (serialNumberToRevoke != null) { crlBuilder.addCRLEntry(serialNumberToRevoke, nowDate, CRLReason.privilegeWithdrawn); } JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); try { crlBuilder.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert.getPublicKey())); crlBuilder.addExtension(Extension.cRLNumber, false, new CRLNumber(BigInteger.ONE)); X509CRLHolder crlHolder = crlBuilder .build(new JcaContentSignerBuilder(signAlgorith).setProvider("BC").build(caPrivateKey)); return new JcaX509CRLConverter().setProvider("BC").getCRL(crlHolder); } catch (CertIOException | OperatorCreationException ex) { throw new GeneralSecurityException(ex); } }
From source file:org.candlepin.CRLWriteBenchmark.java
License:Open Source License
@Benchmark
@Fork(value = 1, jvmArgsAppend = { "-Xloggc:gc_in_memory_write.log", "-verbose:gc", "-XX:+PrintGCDetails",
"-XX:+PrintGCTimeStamps" })
public void inMemory() {
ASN1InputStream stream = null;
try {/*from w ww .j a v a 2 s. c o m*/
stream = new ASN1InputStream(new BufferedInputStream(new FileInputStream(crlFile)));
DERObject o = stream.readObject();
X509CRLHolder oldCrl = new X509CRLHolder(o.getDEREncoded());
X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuer, new Date());
crlBuilder.addCRL(oldCrl);
crlBuilder.addCRLEntry(new BigInteger("25000000000"), new Date(), CRLReason.unspecified);
X509CRLHolder holder = crlBuilder.build(signer);
X509CRL crl = new JcaX509CRLConverter().setProvider(bc).getCRL(holder);
File newCrlFile = File.createTempFile("new_crl", ".der");
FileUtils.writeByteArrayToFile(newCrlFile, crl.getEncoded());
System.out.println("\nWrote new crl to " + newCrlFile.getAbsolutePath());
} catch (Exception e) {
e.printStackTrace();
} finally {
if (stream != null) {
try {
stream.close();
} catch (IOException e) {
e.printStackTrace();
}
}
}
}
From source file:org.candlepin.util.X509CRLStreamWriter.java
License:Open Source License
protected void writeToEmptyCrl(OutputStream out) throws IOException { ASN1InputStream asn1in = null; try {// w w w. j av a 2 s. c o m asn1in = new ASN1InputStream(crlIn); DERSequence certListSeq = (DERSequence) asn1in.readObject(); CertificateList certList = new CertificateList(certListSeq); X509CRLHolder oldCrl = new X509CRLHolder(certList); X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(oldCrl.getIssuer(), new Date()); crlBuilder.addCRL(oldCrl); Date now = new Date(); Date oldNextUpdate = certList.getNextUpdate().getDate(); Date oldThisUpdate = certList.getThisUpdate().getDate(); Date nextUpdate = new Date(now.getTime() + (oldNextUpdate.getTime() - oldThisUpdate.getTime())); crlBuilder.setNextUpdate(nextUpdate); for (Object o : oldCrl.getExtensionOIDs()) { ASN1ObjectIdentifier oid = (ASN1ObjectIdentifier) o; X509Extension ext = oldCrl.getExtension(oid); if (oid.equals(X509Extension.cRLNumber)) { DEROctetString octet = (DEROctetString) ext.getValue().getDERObject(); DERInteger currentNumber = (DERInteger) DERTaggedObject.fromByteArray(octet.getOctets()); DERInteger nextNumber = new DERInteger(currentNumber.getValue().add(BigInteger.ONE)); crlBuilder.addExtension(oid, ext.isCritical(), nextNumber); } else if (oid.equals(X509Extension.authorityKeyIdentifier)) { crlBuilder.addExtension(oid, ext.isCritical(), new AuthorityKeyIdentifierStructure(ext.getValue().getDEREncoded())); } } for (DERSequence entry : newEntries) { // XXX: This is all a bit messy considering the user already passed in the serial, date // and reason. BigInteger serial = ((DERInteger) entry.getObjectAt(0)).getValue(); Date revokeDate = ((Time) entry.getObjectAt(1)).getDate(); int reason = CRLReason.unspecified; if (entry.size() == 3) { X509Extensions extensions = (X509Extensions) entry.getObjectAt(2); X509Extension reasonExt = extensions.getExtension(X509Extension.reasonCode); if (reasonExt != null) { reason = ((DEREnumerated) reasonExt.getParsedValue()).getValue().intValue(); } } crlBuilder.addCRLEntry(serial, revokeDate, reason); } RSAKeyParameters keyParams = new RSAKeyParameters(true, key.getModulus(), key.getPrivateExponent()); signingAlg = oldCrl.toASN1Structure().getSignatureAlgorithm(); digestAlg = new DefaultDigestAlgorithmIdentifierFinder().find(signingAlg); ContentSigner s; try { s = new BcRSAContentSignerBuilder(signingAlg, digestAlg).build(keyParams); X509CRLHolder newCrl = crlBuilder.build(s); out.write(newCrl.getEncoded()); } catch (OperatorCreationException e) { throw new IOException("Could not sign CRL", e); } } finally { IOUtils.closeQuietly(asn1in); } }
From source file:org.picketlink.pki.internal.DefaultCertificateAuthority.java
License:Open Source License
@Override public void revoke(CertificateType certificate) { try {//from w ww . j a v a 2 s .c o m X509CRLHolder crlHolder = getCRLHolder(); Date date = new Date(); X509v2CRLBuilder builder = new X509v2CRLBuilder(crlHolder.getIssuer(), date); // Create Date nextUpdate = new Date(date.getTime() + 30 * 24 * 60 * 60 * 1000); // add the existing one into it builder.addCRL(crlHolder); // Add the serial to be revoked builder.addCRLEntry(certificate.getObject().getSerialNumber(), date, CRLReason.privilegeWithdrawn); builder.setNextUpdate(nextUpdate); ContentSigner contentSigner = createSigner(getPartitionKeyPair().getPrivate(), getConfiguration()); X509CRLHolder updatedCRL = builder.build(contentSigner); CertificateRevocationListType certificateRevocationList = getCertificateRevocationList(); certificateRevocationList.setEncoded(Base64.encodeBytes(updatedCRL.getEncoded())); getIdentityManager().update(certificateRevocationList); } catch (Exception e) { throw new RuntimeException("Could not update revocation list.", e); } }