Example usage for org.bouncycastle.cert X509v2CRLBuilder addExtension

List of usage examples for org.bouncycastle.cert X509v2CRLBuilder addExtension

Introduction

In this page you can find the example usage for org.bouncycastle.cert X509v2CRLBuilder addExtension.

Prototype

public X509v2CRLBuilder addExtension(ASN1ObjectIdentifier oid, boolean isCritical, byte[] encodedValue)
        throws CertIOException 

Source Link

Document

Add a given extension field for the standard extensions tag (tag 3) using a byte encoding of the extension value.

Usage

From source file:be.fedict.trust.test.PKITestUtils.java

License:Open Source License

public static X509CRL generateCrl(PrivateKey issuerPrivateKey, X509Certificate issuerCertificate,
        DateTime thisUpdate, DateTime nextUpdate, List<String> deltaCrlUris, boolean deltaCrl,
        List<RevokedCertificate> revokedCertificates, String signatureAlgorithm,
        long numberOfRevokedCertificates)
        throws InvalidKeyException, CRLException, IllegalStateException, NoSuchAlgorithmException,
        SignatureException, CertificateException, IOException, OperatorCreationException {

    X500Name issuerName = new X500Name(issuerCertificate.getSubjectX500Principal().toString());
    X509v2CRLBuilder x509v2crlBuilder = new X509v2CRLBuilder(issuerName, thisUpdate.toDate());
    x509v2crlBuilder.setNextUpdate(nextUpdate.toDate());

    for (RevokedCertificate revokedCertificate : revokedCertificates) {
        x509v2crlBuilder.addCRLEntry(revokedCertificate.serialNumber,
                revokedCertificate.revocationDate.toDate(), CRLReason.privilegeWithdrawn);
    }/*from  w w  w . j  av a  2 s  . c om*/
    if (-1 != numberOfRevokedCertificates) {
        SecureRandom secureRandom = new SecureRandom();
        while (numberOfRevokedCertificates-- > 0) {
            BigInteger serialNumber = new BigInteger(128, secureRandom);
            Date revocationDate = new Date();
            x509v2crlBuilder.addCRLEntry(serialNumber, revocationDate, CRLReason.privilegeWithdrawn);
        }
    }

    JcaX509ExtensionUtils extensionUtils = new JcaX509ExtensionUtils();
    x509v2crlBuilder.addExtension(Extension.authorityKeyIdentifier, false,
            extensionUtils.createAuthorityKeyIdentifier(issuerCertificate));
    x509v2crlBuilder.addExtension(Extension.cRLNumber, false, new CRLNumber(BigInteger.ONE));

    if (null != deltaCrlUris && !deltaCrlUris.isEmpty()) {
        DistributionPoint[] deltaCrlDps = new DistributionPoint[deltaCrlUris.size()];
        for (int i = 0; i < deltaCrlUris.size(); i++) {
            deltaCrlDps[i] = getDistributionPoint(deltaCrlUris.get(i));
        }
        CRLDistPoint crlDistPoint = new CRLDistPoint((DistributionPoint[]) deltaCrlDps);
        x509v2crlBuilder.addExtension(Extension.freshestCRL, false, crlDistPoint);
    }

    if (deltaCrl) {
        x509v2crlBuilder.addExtension(Extension.deltaCRLIndicator, true, new CRLNumber(BigInteger.ONE));
    }

    AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find(signatureAlgorithm);
    AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);
    AsymmetricKeyParameter asymmetricKeyParameter = PrivateKeyFactory.createKey(issuerPrivateKey.getEncoded());

    ContentSigner contentSigner = new BcRSAContentSignerBuilder(sigAlgId, digAlgId)
            .build(asymmetricKeyParameter);

    X509CRLHolder x509crlHolder = x509v2crlBuilder.build(contentSigner);
    byte[] crlValue = x509crlHolder.getEncoded();
    CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
    X509CRL crl = (X509CRL) certificateFactory.generateCRL(new ByteArrayInputStream(crlValue));
    return crl;
}

From source file:eu.europa.esig.dss.test.gen.CRLGenerator.java

License:Open Source License

public X509CRL generateCRL(X509Certificate certToRevoke, MockPrivateKeyEntry issuerEntry, Date dateOfRevoke,
        int reason) throws Exception {

    Date now = new Date();
    X500Name x500nameIssuer = new JcaX509CertificateHolder(issuerEntry.getCertificate().getCertificate())
            .getSubject();/*  w ww  .  j a va  2  s . c  o m*/
    X509v2CRLBuilder crlGen = new X509v2CRLBuilder(x500nameIssuer, now);

    crlGen.setNextUpdate(new Date(now.getTime() + (60 * 60 * 1000)));

    crlGen.addCRLEntry(certToRevoke.getSerialNumber(), dateOfRevoke, reason);

    JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils();

    crlGen.addExtension(Extension.authorityKeyIdentifier, false,
            extUtils.createAuthorityKeyIdentifier(issuerEntry.getCertificate().getPublicKey()));

    X509CRLHolder crlHolder = crlGen
            .build(new JcaContentSignerBuilder(issuerEntry.getCertificate().getCertificate().getSigAlgName())
                    .setProvider(BouncyCastleProvider.PROVIDER_NAME).build(issuerEntry.getPrivateKey()));

    JcaX509CRLConverter converter = new JcaX509CRLConverter();
    return converter.getCRL(crlHolder);
}

From source file:net.ripe.rpki.commons.crypto.crl.X509CrlBuilder.java

License:BSD License

private X509v2CRLBuilder createCrlGenerator() throws CertIOException {
    X509v2CRLBuilder generator = new X509v2CRLBuilder(X500Name.getInstance(issuerDN.getEncoded()),
            thisUpdateTime.toDate());/*from  w  w  w . j a v  a 2s . c o m*/
    generator.setNextUpdate(nextUpdateTime.toDate());
    generator.addExtension(X509Extension.authorityKeyIdentifier, false, authorityKeyIdentifier);
    generator.addExtension(X509Extension.cRLNumber, false, crlNumber);
    for (X509Crl.Entry entry : entries.values()) {
        generator.addCRLEntry(entry.getSerialNumber(), entry.getRevocationDateTime().toDate(), 0);
    }
    return generator;
}

From source file:org.apache.hadoop.security.ssl.KeyStoreTestUtil.java

License:Apache License

public static X509CRL generateCRL(X509Certificate caCert, PrivateKey caPrivateKey, String signAlgorith,
        X509CRL existingCRL, BigInteger serialNumberToRevoke) throws GeneralSecurityException {
    LocalDate currentTime = LocalDate.now();
    Date nowDate = Date.from(currentTime.atStartOfDay(ZoneId.systemDefault()).toInstant());
    LocalDate nextUpdate = currentTime.plus(1, ChronoUnit.WEEKS);
    Date nextUpdateDate = Date.from(nextUpdate.atStartOfDay(ZoneId.systemDefault()).toInstant());

    X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(new X500Name(caCert.getSubjectX500Principal().getName()),
            nowDate);//w  ww  . jav a  2s.  c  om
    crlBuilder.setNextUpdate(nextUpdateDate);
    if (existingCRL != null) {
        crlBuilder.addCRL(new JcaX509CRLHolder(existingCRL));
    }
    if (serialNumberToRevoke != null) {
        crlBuilder.addCRLEntry(serialNumberToRevoke, nowDate, CRLReason.privilegeWithdrawn);
    }
    JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils();
    try {
        crlBuilder.addExtension(Extension.authorityKeyIdentifier, false,
                extUtils.createAuthorityKeyIdentifier(caCert.getPublicKey()));
        crlBuilder.addExtension(Extension.cRLNumber, false, new CRLNumber(BigInteger.ONE));
        X509CRLHolder crlHolder = crlBuilder
                .build(new JcaContentSignerBuilder(signAlgorith).setProvider("BC").build(caPrivateKey));
        return new JcaX509CRLConverter().setProvider("BC").getCRL(crlHolder);
    } catch (CertIOException | OperatorCreationException ex) {
        throw new GeneralSecurityException(ex);
    }
}

From source file:org.apache.poi.poifs.crypt.PkiTestUtils.java

License:Apache License

public static X509CRL generateCrl(X509Certificate issuer, PrivateKey issuerPrivateKey)
        throws CertificateEncodingException, IOException, CRLException, OperatorCreationException {

    X509CertificateHolder holder = new X509CertificateHolder(issuer.getEncoded());
    X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(holder.getIssuer(), new Date());
    crlBuilder.setNextUpdate(new Date(new Date().getTime() + 100000));
    JcaContentSignerBuilder contentBuilder = new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC");

    CRLNumber crlNumber = new CRLNumber(new BigInteger("1234"));

    crlBuilder.addExtension(Extension.cRLNumber, false, crlNumber);
    X509CRLHolder x509Crl = crlBuilder.build(contentBuilder.build(issuerPrivateKey));
    return new JcaX509CRLConverter().setProvider("BC").getCRL(x509Crl);
}

From source file:org.apache.zookeeper.server.quorum.QuorumSSLTest.java

License:Apache License

private void buildCRL(X509Certificate x509Certificate, String crlPath) throws Exception {
    X509v2CRLBuilder builder = new JcaX509v2CRLBuilder(x509Certificate.getIssuerX500Principal(), certStartTime);
    builder.addCRLEntry(x509Certificate.getSerialNumber(), certStartTime, CRLReason.cACompromise);
    builder.setNextUpdate(certEndTime);/*w w w .  j  a  v  a2  s .  co m*/
    builder.addExtension(Extension.authorityKeyIdentifier, false,
            new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(rootCertificate));
    builder.addExtension(Extension.cRLNumber, false, new CRLNumber(new BigInteger("1000")));

    X509CRLHolder cRLHolder = builder.build(contentSigner);

    PemWriter pemWriter = new PemWriter(new FileWriter(crlPath));
    pemWriter.writeObject(new MiscPEMGenerator(cRLHolder));
    pemWriter.flush();
    pemWriter.close();
}

From source file:org.candlepin.CRLBenchmark.java

License:Open Source License

@Setup(Level.Trial)
public void buildMassiveCRL() throws Exception {
    X500Name issuer = new X500Name("CN=Test Issuer");

    KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA");

    generator.initialize(2048);//from  www .jav a2s  .c om
    KeyPair keyPair = generator.generateKeyPair();

    Provider bc = new BouncyCastleProvider();
    ContentSigner signer = new JcaContentSignerBuilder("SHA256WithRSAEncryption").setProvider(bc)
            .build(keyPair.getPrivate());

    X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuer, new Date());

    crlBuilder.addExtension(X509Extension.authorityKeyIdentifier, false,
            new AuthorityKeyIdentifierStructure(keyPair.getPublic()));
    /* With a CRL number of 127, incrementing it should cause the number of bytes in the length
     * portion of the TLV to increase by one.*/
    crlBuilder.addExtension(X509Extension.cRLNumber, false, new CRLNumber(new BigInteger("127")));

    for (int i = 0; i < 2000000; i++) {
        crlBuilder.addCRLEntry(new BigInteger(String.valueOf(i)), new Date(), CRLReason.unspecified);
    }

    X509CRLHolder holder = crlBuilder.build(signer);
    X509CRL crl = new JcaX509CRLConverter().setProvider(bc).getCRL(holder);

    crlFile = File.createTempFile("crl", ".der");
    System.out.println("\nWrote test crl to " + crlFile.getAbsolutePath());
    FileUtils.writeByteArrayToFile(crlFile, crl.getEncoded());
}

From source file:org.candlepin.CRLWriteBenchmark.java

License:Open Source License

@Setup(Level.Trial)
public void buildMassiveCRL() throws Exception {
    issuer = new X500Name("CN=Test Issuer");

    KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA");

    generator.initialize(2048);//from   www  . j ava2  s .c  om
    KeyPair keyPair = generator.generateKeyPair();

    bc = new BouncyCastleProvider();
    signer = new JcaContentSignerBuilder("SHA256WithRSAEncryption").setProvider(bc).build(keyPair.getPrivate());

    X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuer, new Date());
    crlBuilder.addExtension(X509Extension.authorityKeyIdentifier, false,
            new AuthorityKeyIdentifierStructure(keyPair.getPublic()));
    /* With a CRL number of 127, incrementing it should cause the number of bytes in the length
     * portion of the TLV to increase by one.*/
    crlBuilder.addExtension(X509Extension.cRLNumber, false, new CRLNumber(new BigInteger("127")));

    for (int i = 0; i < 2000000; i++) {
        crlBuilder.addCRLEntry(new BigInteger(String.valueOf(i)), new Date(), CRLReason.unspecified);
    }

    X509CRLHolder holder = crlBuilder.build(signer);
    X509CRL crl = new JcaX509CRLConverter().setProvider(bc).getCRL(holder);

    crlFile = File.createTempFile("crl", ".der");
    System.out.println("\nWrote test crl to " + crlFile.getAbsolutePath());
    FileUtils.writeByteArrayToFile(crlFile, crl.getEncoded());
}

From source file:org.candlepin.util.X509CRLEntryStreamTest.java

License:Open Source License

@Test
public void testIterateOverEmptyCrl() throws Exception {
    X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuer, new Date());

    crlBuilder.addExtension(X509Extension.authorityKeyIdentifier, false,
            new AuthorityKeyIdentifierStructure(keyPair.getPublic()));
    crlBuilder.addExtension(X509Extension.cRLNumber, false, new CRLNumber(new BigInteger("127")));

    X509CRLHolder holder = crlBuilder.build(signer);

    File noUpdateTimeCrl = new File(folder.getRoot(), "test.crl");
    FileUtils.writeByteArrayToFile(noUpdateTimeCrl, holder.getEncoded());

    X509CRLEntryStream stream = new X509CRLEntryStream(noUpdateTimeCrl);
    try {//from  w w  w  .  j a  v a 2s .  co  m
        Set<BigInteger> streamedSerials = new HashSet<BigInteger>();
        while (stream.hasNext()) {
            streamedSerials.add(stream.next().getSerialNumber());
        }

        assertEquals(0, streamedSerials.size());
    } finally {
        stream.close();
    }
}

From source file:org.candlepin.util.X509CRLEntryStreamTest.java

License:Open Source License

@Test
public void testCRLwithoutUpdateTime() throws Exception {
    X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuer, new Date());
    crlBuilder.addExtension(X509Extension.authorityKeyIdentifier, false,
            new AuthorityKeyIdentifierStructure(keyPair.getPublic()));
    crlBuilder.addExtension(X509Extension.cRLNumber, false, new CRLNumber(new BigInteger("127")));
    crlBuilder.addCRLEntry(new BigInteger("100"), new Date(), CRLReason.unspecified);

    X509CRLHolder holder = crlBuilder.build(signer);

    File noUpdateTimeCrl = new File(folder.getRoot(), "test.crl");
    FileUtils.writeByteArrayToFile(noUpdateTimeCrl, holder.getEncoded());

    X509CRLEntryStream stream = new X509CRLEntryStream(noUpdateTimeCrl);
    try {// w  ww  .j  a v a  2  s.  co  m
        Set<BigInteger> streamedSerials = new HashSet<BigInteger>();
        while (stream.hasNext()) {
            streamedSerials.add(stream.next().getSerialNumber());
        }

        assertEquals(1, streamedSerials.size());
        assertTrue(streamedSerials.contains(new BigInteger("100")));
    } finally {
        stream.close();
    }
}