Package java.security.cert

Examples of java.security.cert.X509CRLEntry

1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
            fail("failed to find CRL extension");
        }
       
        AuthorityKeyIdentifier authId = new AuthorityKeyIdentifierStructure(authExt);
       
        X509CRLEntry entry = crl.getRevokedCertificate(BigInteger.ONE);
       
        if (entry == null)
        {
            fail("failed to find CRL entry");
        }
       
        if (!entry.getSerialNumber().equals(BigInteger.ONE))
        {
            fail("CRL cert serial number does not match");
        }
       
        if (!entry.hasExtensions())
        {
            fail("CRL entry extension not found");
        }
   
        byte[]  ext = entry.getExtensionValue(X509Extensions.ReasonCode.getId());
   
        if (ext != null)
        {
            DEREnumerated   reasonCode = (DEREnumerated)X509ExtensionUtil.fromExtensionValue(ext);
                                                                      
            if (reasonCode.getValue().intValue() != CRLReason.privilegeWithdrawn)
            {
                fail("CRL entry reasonCode wrong");
            }
        }
        else
        {
            fail("CRL entry reasonCode not found");
        }
       
        //
        // check loading of existing CRL
        //
        crlGen = new X509V2CRLGenerator();
        now = new Date();
       
        crlGen.setIssuerDN(new X500Principal("CN=Test CA"));
       
        crlGen.setThisUpdate(now);
        crlGen.setNextUpdate(new Date(now.getTime() + 100000));
        crlGen.setSignatureAlgorithm("SHA256WithRSAEncryption");
       
        crlGen.addCRL(crl);
       
        crlGen.addCRLEntry(BigInteger.valueOf(2), now, entryExtensions);
       
        crlGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(pair.getPublic()));
       
        X509CRL    newCrl = crlGen.generate(pair.getPrivate(), "BC");
       
        int     count = 0;
        boolean oneFound = false;
        boolean twoFound = false;
       
        Iterator it = newCrl.getRevokedCertificates().iterator();
        while (it.hasNext())
        {
            X509CRLEntry crlEnt = (X509CRLEntry)it.next();

            if (crlEnt.getSerialNumber().intValue() == 1)
            {
                oneFound = true;
            }
            else if (crlEnt.getSerialNumber().intValue() == 2)
            {
                twoFound = true;
            }
           
            count++;
View Full Code Here
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
        X509CRL x509crl = CertTools.getCRLfromByteArray(crl);
        Set<? extends X509CRLEntry> revset = x509crl.getRevokedCertificates();
        if (revset != null) {
            Iterator<? extends X509CRLEntry> iter = revset.iterator();
            while (iter.hasNext()) {
                X509CRLEntry ce = iter.next();
                assertTrue(ce.getSerialNumber().compareTo(cert.getSerialNumber()) != 0);
            }
        } // If no revoked certificates exist at all, this test passed...

        certificateStoreSession.revokeCertificate(admin, cert, null, RevokedCertInfo.REVOCATION_REASON_CERTIFICATEHOLD, userDN);
        // Create a new CRL again...
        crlCreateSession.run(admin, ca);
        // Check that our newly signed certificate IS present in a new CRL
        crl = crlSession.getLastCRL(admin, ca.getSubjectDN(), false);
        assertNotNull("Could not get CRL", crl);
        x509crl = CertTools.getCRLfromByteArray(crl);
        revset = x509crl.getRevokedCertificates();
        assertNotNull(revset);
        Iterator<? extends X509CRLEntry> iter = revset.iterator();
        boolean found = false;
        while (iter.hasNext()) {
            X509CRLEntry ce = iter.next();
            if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) {
                found = true;
                // TODO: verify the reason code
            }
        }
        assertTrue("Certificate with serial " + cert.getSerialNumber().toString(16) + " not revoked", found);

        // Unrevoke the certificate that we just revoked
        certificateStoreSession.revokeCertificate(admin, cert, null, RevokedCertInfo.NOT_REVOKED, userDN);
        // Create a new CRL again...
        crlCreateSession.run(admin, ca);
        // Check that our newly signed certificate IS NOT present in the new
        // CRL.
        crl = crlSession.getLastCRL(admin, ca.getSubjectDN(), false);
        assertNotNull("Could not get CRL", crl);
        x509crl = CertTools.getCRLfromByteArray(crl);
        revset = x509crl.getRevokedCertificates();
        if (revset != null) {
            iter = revset.iterator();
            found = false;
            while (iter.hasNext()) {
                X509CRLEntry ce = iter.next();
                if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) {
                    found = true;
                }
            }
            assertFalse(found);
        } // If no revoked certificates exist at all, this test passed...

        certificateStoreSession.revokeCertificate(admin, cert, null, RevokedCertInfo.REVOCATION_REASON_CACOMPROMISE, userDN);
        assertTrue("Failed to revoke certificate!", certificateStoreSession.isRevoked(CertTools.getIssuerDN(cert), CertTools.getSerialNumber(cert)));
        // Create a new CRL again...
        crlCreateSession.run(admin, ca);
        // Check that our newly signed certificate IS present in a new CRL
        crl = crlSession.getLastCRL(admin, ca.getSubjectDN(), false);
        assertNotNull("Could not get CRL", crl);
        x509crl = CertTools.getCRLfromByteArray(crl);
        revset = x509crl.getRevokedCertificates();
        iter = revset.iterator();
        found = false;
        while (iter.hasNext()) {
            X509CRLEntry ce = (X509CRLEntry) iter.next();
            if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) {
                found = true;
                // TODO: verify the reason code
            }
        }
        assertTrue(found);

        certificateStoreSession.revokeCertificate(admin, cert, null, RevokedCertInfo.NOT_REVOKED, userDN);
        assertTrue("Was able to re-activate permanently revoked certificate!", certificateStoreSession.isRevoked(CertTools.getIssuerDN(cert), CertTools.getSerialNumber(cert)));
        // Create a new CRL again...
        crlCreateSession.run(admin, ca);
        // Check that our newly signed certificate is present in the new CRL,
        // because the revocation reason
        // was not CERTIFICATE_HOLD, we can only un-revoke certificates that are
        // on hold.
        crl = crlSession.getLastCRL(admin, ca.getSubjectDN(), false);
        assertNotNull("Could not get CRL", crl);
        x509crl = CertTools.getCRLfromByteArray(crl);
        revset = x509crl.getRevokedCertificates();
        iter = revset.iterator();
        found = false;
        while (iter.hasNext()) {
            X509CRLEntry ce = (X509CRLEntry) iter.next();
            if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) {
                found = true;
            }
        }
        assertTrue(found);
        log.trace("<test04RevokeAndUnrevoke()");
View Full Code Here
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
        X509CRL x509crl = CertTools.getCRLfromByteArray(crl);
        Set<? extends X509CRLEntry> revset = x509crl.getRevokedCertificates();
        if (revset != null) {
            Iterator<? extends X509CRLEntry> iter = revset.iterator();
            while (iter.hasNext()) {
                X509CRLEntry ce = iter.next();
                assertTrue(ce.getSerialNumber().compareTo(cert.getSerialNumber()) != 0);
            }
        } // If no revoked certificates exist at all, this test passed...

        certificateStoreSession.revokeCertificate(admin, cert, null, RevokedCertInfo.REVOCATION_REASON_CERTIFICATEHOLD, null);
        // Sleep 1 second so we don't issue the next CRL at the exact same time
        // as the revocation
        Thread.sleep(1000);
        // Create a new delta CRL again...
        crl = crlStoreSession.runDeltaCRL(admin, ca, -1, -1);
        // Check that our newly signed certificate IS present in a new Delta CRL
        // crl = storeremote.getLastCRL(admin, cadn, true);
        assertNotNull("Could not get CRL", crl);
        x509crl = CertTools.getCRLfromByteArray(crl);
        revset = x509crl.getRevokedCertificates();
        assertNotNull("revset can not be null", revset);
        Iterator<? extends X509CRLEntry> iter = revset.iterator();
        boolean found = false;
        while (iter.hasNext()) {
            X509CRLEntry ce = iter.next();
            if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) {
                found = true;
                // TODO: verify the reason code
            }
        }
        assertTrue(found);

        // Unrevoke the certificate that we just revoked
        certificateStoreSession.revokeCertificate(admin, cert, null, RevokedCertInfo.NOT_REVOKED, null);
        // Create a new Delta CRL again...
        crlStoreSession.runDeltaCRL(admin, ca, -1, -1);
        // Check that our newly signed certificate IS NOT present in the new
        // CRL.
        crl = createCrlSession.getLastCRL(admin, ca.getSubjectDN(), true);
        assertNotNull("Could not get CRL", crl);
        x509crl = CertTools.getCRLfromByteArray(crl);
        revset = x509crl.getRevokedCertificates();
        if (revset != null) {
            iter = revset.iterator();
            found = false;
            while (iter.hasNext()) {
                X509CRLEntry ce = (X509CRLEntry) iter.next();
                if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) {
                    found = true;
                }
            }
            assertFalse(found);
        } // If no revoked certificates exist at all, this test passed...

        // Check that when we revoke a certificate it will be present on the
        // delta CRL
        // When we create a new full CRL it will be present there, and not on
        // the next delta CRL
        certificateStoreSession.revokeCertificate(admin, cert, null, RevokedCertInfo.REVOCATION_REASON_CACOMPROMISE, null);
        // Sleep 1 second so we don't issue the next CRL at the exact same time
        // as the revocation
        Thread.sleep(1000);
        // Create a new delta CRL again...
        crl = crlStoreSession.runDeltaCRL(admin, ca, -1, -1);
        // Check that our newly signed certificate IS present in a new Delta CRL
        // crl = storeremote.getLastCRL(admin, cadn, true);
        assertNotNull("Could not get CRL", crl);
        x509crl = CertTools.getCRLfromByteArray(crl);
        revset = x509crl.getRevokedCertificates();
        assertNotNull(revset);
        iter = revset.iterator();
        found = false;
        // log.debug(x509crl.getThisUpdate());
        while (iter.hasNext()) {
            X509CRLEntry ce = (X509CRLEntry) iter.next();
            // log.debug(ce);
            if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) {
                found = true;
                // TODO: verify the reason code
            }
        }
        assertTrue(found);

        // Sleep 1 second so we don't issue the next CRL at the exact same time
        // as the revocation
        Thread.sleep(1000);
        // Create a new Full CRL
        crlStoreSession.run(admin, ca);
        // Check that our newly signed certificate IS present in a new Full CRL
        crl = createCrlSession.getLastCRL(admin, ca.getSubjectDN(), false);
        assertNotNull("Could not get CRL", crl);
        x509crl = CertTools.getCRLfromByteArray(crl);
        revset = x509crl.getRevokedCertificates();
        assertNotNull(revset);
        iter = revset.iterator();
        found = false;
        // log.debug(x509crl.getThisUpdate());
        // log.debug(x509crl.getThisUpdate().getTime());
        while (iter.hasNext()) {
            X509CRLEntry ce = (X509CRLEntry) iter.next();
            // log.debug(ce);
            if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) {
                found = true;
                // TODO: verify the reason code
            }
        }
        assertTrue(found);

        // Sleep 1 second so we don't issue the next CRL at the exact same time
        // as the revocation
        Thread.sleep(1000);
        // Create a new Delta CRL again...
        crlStoreSession.runDeltaCRL(admin, ca, -1, -1);
        // Check that our newly signed certificate IS NOT present in the new
        // Delta CRL.
        crl = createCrlSession.getLastCRL(admin, ca.getSubjectDN(), true);
        assertNotNull("Could not get CRL", crl);
        x509crl = CertTools.getCRLfromByteArray(crl);
        revset = x509crl.getRevokedCertificates();
        // log.debug(x509crl.getThisUpdate());
        if (revset != null) {
            iter = revset.iterator();
            found = false;
            while (iter.hasNext()) {
                X509CRLEntry ce = (X509CRLEntry) iter.next();
                // log.debug(ce);
                // log.debug(ce.getRevocationDate().getTime());
                if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) {
                    found = true;
                }
            }
            assertFalse(found);
        } // If no revoked certificates exist at all, this test passed...
View Full Code Here
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
            if (certIssuer.equals(getIssuerX500Principal())) {
                // certificate issuer is CRL issuer
                certIssuer = null;
            }
            for (int i=0; i<entriesSize; i++) {
                X509CRLEntry entry = (X509CRLEntry) entries.get(i);
                // check the serial number of revoked certificate
                if (serialN.equals(entry.getSerialNumber())) {
                    // revoked certificate issuer
                    X500Principal iss = entry.getCertificateIssuer();
                    // check the issuer of revoked certificate
                    if (certIssuer != null) {
                        // certificate issuer is not a CRL issuer, so
                        // check issuers for equality
                        if (certIssuer.equals(iss)) {
                            return entry;
                        }
                    } else if (iss == null) {
                        // both certificates was issued by CRL issuer
                        return entry;
                    }
                }
            }
        } else {
            // search in CA's (non indirect) crl: just look up the serial number
            for (int i=0; i<entriesSize; i++) {
                X509CRLEntry entry = (X509CRLEntry) entries.get(i);
                if (serialN.equals(entry.getSerialNumber())) {
                    return entry;
                }
            }
        }
        return null;
View Full Code Here
299
300
301
302
303
304
305
306
307
308
309
310
        }
        if (entries == null) {
            return null;
        }
        for (int i=0; i<nonIndirectEntriesSize; i++) {
            X509CRLEntry entry = (X509CRLEntry) entries.get(i);
            if (serialNumber.equals(entry.getSerialNumber())) {
                return entry;
            }
        }
        return null;
    }
View Full Code Here
172
173
174
175
176
177
178
179
180
181
182
                for(X509CRL crlInstance : crlList)
                {
                    if (crlInstance.getIssuerDN().equals(certIssuer)) { // if there is a CRL from the issuer in the CRL list
                        log.debug("CRL found from " + certIssuer.getName());

                        X509CRLEntry crlEntry = crlInstance.getRevokedCertificate(serial); // check it the serial number is in the list

                        if (crlEntry != null) { // the certificate is in the CRL list
                            log.info("The certificate is revoked by " + certIssuer.getName());
                            throw new CertPathValidatorException("The certificate "
                                + certificate.getSubjectDN().getName()
View Full Code Here
53
54
55
56
57
58
59
60
61
62
        }
        if (CertUtils.isExpired(crl)) {
            log.warn("CRL data expired on " + crl.getNextUpdate());
            this.expiredCRLPolicy.apply(crl);
        }
        final X509CRLEntry entry = crl.getRevokedCertificate(cert);
        if (entry != null) {
            throw new RevokedCertificateException(entry);
        }
    }
View Full Code Here
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
                }
            }
        }
       
        // check the crl
        X509CRLEntry crl_entry;
        if (crl != null)
        {
            if (sign != null)
            {
                boolean[] keyusage = sign.getKeyUsage();

                if (keyusage != null
                    && (keyusage.length < 7 || !keyusage[CRL_SIGN]))
                {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.noCrlSigningPermited");
                    throw new CertPathReviewerException(msg);
                }
            }

            if (workingPublicKey != null)
            {
                try
                {
                    crl.verify(workingPublicKey, "BC");
                }
                catch (Exception e)
                {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlVerifyFailed");
                    throw new CertPathReviewerException(msg,e);
                }
            }
            else // issuer public key not known
            {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlNoIssuerPublicKey");
                throw new CertPathReviewerException(msg);
            }

            crl_entry = crl.getRevokedCertificate(cert.getSerialNumber());
            if (crl_entry != null)
            {
                String reason = null;
               
                if (crl_entry.hasExtensions())
                {
                    DEREnumerated reasonCode;
                    try
                    {
                        reasonCode = DEREnumerated.getInstance(getExtensionValue(crl_entry, X509Extensions.ReasonCode.getId()));
                    }
                    catch (AnnotatedException ae)
                    {
                        ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlReasonExtError");
                        throw new CertPathReviewerException(msg,ae);
                    }
                    if (reasonCode != null)
                    {
                        reason = crlReasons[reasonCode.getValue().intValue()];
                    }
                    else
                    {
                        reason = crlReasons[7];
                    }
                }
               
                // i18n reason
                LocaleString ls = new LocaleString(RESOURCE_NAME, reason);
               
                if (!validDate.before(crl_entry.getRevocationDate()))
                {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.certRevoked",
                            new Object[] {new TrustedInput(crl_entry.getRevocationDate()),ls});
                    throw new CertPathReviewerException(msg);
                }
                else // cert was revoked after validation date
                {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.revokedAfterValidation",
                            new Object[] {new TrustedInput(crl_entry.getRevocationDate()),ls});
                    addNotification(msg,index);
                }
            }
            else // cert is not revoked
            {
View Full Code Here
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
                fail("failed to find CRL extension");
            }
           
            AuthorityKeyIdentifier authId = new AuthorityKeyIdentifierStructure(authExt);
           
            X509CRLEntry entry = crl.getRevokedCertificate(BigInteger.ONE);
           
            if (entry == null)
            {
                fail("failed to find CRL entry");
            }
           
            if (!entry.getSerialNumber().equals(BigInteger.ONE))
            {
                fail("CRL cert serial number does not match");
            }
           
            if (!entry.hasExtensions())
            {
                fail("CRL entry extension not found");
            }

            byte[]  ext = entry.getExtensionValue(X509Extensions.ReasonCode.getId());

            if (ext != null)
            {
                DEREnumerated   reasonCode = (DEREnumerated)X509ExtensionUtil.fromExtensionValue(ext);
                                                                          
View Full Code Here
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
                }

                crlselect.setCertificateChecking(cert);

                Iterator crl_iter = findCRLs(crlselect, paramsPKIX.getCertStores()).iterator();
                X509CRLEntry crl_entry;
                while (crl_iter.hasNext())
                {
                    X509CRL crl = (X509CRL)crl_iter.next();
                    if (cert.getNotAfter().after(crl.getThisUpdate()))
                    {
                        if (crl.getNextUpdate() == null
                            || validDate.before(crl.getNextUpdate()))
                        {
                            tmpTest = true;
                        }

                        if (sign != null)
                        {
                            boolean[] keyusage = sign.getKeyUsage();

                            if (keyusage != null
                                && (keyusage.length < 7 || !keyusage[CRL_SIGN]))
                            {
                                throw new CertPathValidatorException(
                                    "Issuer certificate keyusage extension does not permit crl signing.\n" + sign,
                                    null, certPath, index);
                            }
                        }

                        try
                        {
                            crl.verify(workingPublicKey, "BC");
                        }
                        catch (Exception e)
                        {
                            throw new CertPathValidatorException("can't verify CRL: " + e);
                        }

                        crl_entry = crl.getRevokedCertificate(cert.getSerialNumber());
                        if (crl_entry != null
                            && !validDate.before(crl_entry.getRevocationDate()))
                        {
                            String reason = null;
                           
                            if (crl_entry.hasExtensions())
                            {
                                DEREnumerated reasonCode = DEREnumerated.getInstance(getExtensionValue(crl_entry, X509Extensions.ReasonCode.getId()));
                                if (reasonCode != null)
                                {
                                    reason = crlReasons[reasonCode.getValue().intValue()];
                                }
                            }
                           
                            String message = "Certificate revocation after " + crl_entry.getRevocationDate();
                           
                            if (reason != null)
                            {
                                message += ", reason: " + reason;
                            }
View Full Code Here
TOP

Related Classes of java.security.cert.X509CRLEntry

  • com.gitblit.GitblitTrustManager
  • de.innovationgate.utils.CertificateValidationUtils
  • org.apache.harmony.jretools.keytool.CRLManager
  • org.apache.harmony.security.provider.cert.X509CRLImpl
  • org.apache.harmony.tools.keytool.CRLManager
  • org.bouncycastle.jce.provider.CertPathValidatorUtilities
  • org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi
  • org.bouncycastle.jce.provider.test.CertTest
  • org.bouncycastle.x509.PKIXCertPathReviewer
  • org.bouncycastle.x509.X509V2CRLGenerator
    • Copyright © 2018 www.massapicom. All rights reserved.
    All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.