Beispiel #1
0
  public Date getNextUpdate() {
    if (c.getNextUpdate() != null) {
      return c.getNextUpdate().getDate();
    }

    return null;
  }
  private CRL getCRL() throws CRLException {
    if (sCrlData == null || sCrlDataObjectCount >= sCrlData.size()) {
      return null;
    }

    return createCRL(CertificateList.getInstance(sCrlData.getObjectAt(sCrlDataObjectCount++)));
  }
Beispiel #3
0
 public byte[] getTBSCertList() throws CRLException {
   try {
     return c.getTBSCertList().getEncoded("DER");
   } catch (IOException e) {
     throw new CRLException(e.toString());
   }
 }
Beispiel #4
0
 public byte[] getEncoded() throws CRLException {
   try {
     return c.getEncoded(ASN1Encoding.DER);
   } catch (IOException e) {
     throw new CRLException(e.toString());
   }
 }
Beispiel #5
0
  /**
   * Checks whether the given certificate is on this CRL.
   *
   * @param cert the certificate to check for.
   * @return true if the given certificate is on this CRL, false otherwise.
   */
  public boolean isRevoked(Certificate cert) {
    if (!cert.getType().equals("X.509")) {
      throw new RuntimeException("X.509 CRL used with non X.509 Cert");
    }

    TBSCertList.CRLEntry[] certs = c.getRevokedCertificates();

    X500Name caName = c.getIssuer();

    if (certs != null) {
      BigInteger serial = ((X509Certificate) cert).getSerialNumber();

      for (int i = 0; i < certs.length; i++) {
        if (isIndirect && certs[i].hasExtensions()) {
          Extension currentCaName =
              certs[i].getExtensions().getExtension(Extension.certificateIssuer);

          if (currentCaName != null) {
            caName =
                X500Name.getInstance(
                    GeneralNames.getInstance(currentCaName.getParsedValue())
                        .getNames()[0]
                        .getName());
          }
        }

        if (certs[i].getUserCertificate().getValue().equals(serial)) {
          X500Name issuer;

          try {
            issuer =
                org.bouncycastle.asn1.x509.Certificate.getInstance(cert.getEncoded()).getIssuer();
          } catch (CertificateEncodingException e) {
            throw new RuntimeException("Cannot process certificate");
          }

          if (!caName.equals(issuer)) {
            return false;
          }

          return true;
        }
      }
    }

    return false;
  }
  // unsigned CRLs at the root of CMS structure (outside signerInfos)
  public Collection<CRL> getUnsignedCRLs() {
    try {
      Collection<CertificateList> crlCollection = cmsSignedData.getCRLs().getMatches(null);

      // Then we need to "cast" from bouncycastle.CertificateList to java.CRL
      Collection<CRL> x509CrlsCollection = new HashSet<CRL>(crlCollection.size());
      for (CertificateList certList : crlCollection) {
        x509CrlsCollection.add(
            CertificateFactory.getInstance("X.509", BouncyCastleProvider.PROVIDER_NAME)
                .generateCRL(new ByteArrayInputStream(certList.getEncoded())));
      }
      return x509CrlsCollection;
    } catch (Exception e) {
      ExceptionHandlerTyped.<SPISignatureException>handle(SPISignatureException.class, e);
    }
    return null;
  }
  private CRL readPEMCRL(InputStream in) throws IOException, CRLException {
    ASN1Sequence seq = PEM_CRL_PARSER.readPEMObject(in);

    if (seq != null) {
      return createCRL(CertificateList.getInstance(seq));
    }

    return null;
  }
Beispiel #8
0
  static boolean verify(final X509CRL crl, final PublicKey publicKey, final boolean silent)
      throws NoSuchAlgorithmException, CRLException, InvalidKeyException, SignatureException {

    if (crl instanceof X509CRLObject) {
      final CertificateList crlList = (CertificateList) getCertificateList(crl);
      final AlgorithmIdentifier tbsSignatureId = crlList.getTBSCertList().getSignature();
      if (!crlList.getSignatureAlgorithm().equals(tbsSignatureId)) {
        if (silent) return false;
        throw new CRLException(
            "Signature algorithm on CertificateList does not match TBSCertList.");
      }

      final Signature signature = getSignature(crl.getSigAlgName(), securityProvider);

      signature.initVerify(publicKey);
      signature.update(crl.getTBSCertList());

      if (!signature.verify(crl.getSignature())) {
        if (silent) return false;
        throw new SignatureException("CRL does not verify with supplied public key.");
      }
      return true;
    }

    try {
      crl.verify(publicKey);
      return true;
    } catch (NoSuchAlgorithmException ex) {
      if (silent) return false;
      throw ex;
    } catch (CRLException ex) {
      if (silent) return false;
      throw ex;
    } catch (InvalidKeyException ex) {
      if (silent) return false;
      throw ex;
    } catch (SignatureException ex) {
      if (silent) return false;
      throw ex;
    } catch (NoSuchProviderException e) {
      if (isDebug()) e.printStackTrace();
      throw new RuntimeException(e); // unexpected - might hide a bug
    }
  }
Beispiel #9
0
  public X509CRLObject(CertificateList c) throws CRLException {
    this.c = c;

    try {
      this.sigAlgName = X509SignatureUtil.getSignatureName(c.getSignatureAlgorithm());

      if (c.getSignatureAlgorithm().getParameters() != null) {
        this.sigAlgParams =
            ((ASN1Encodable) c.getSignatureAlgorithm().getParameters())
                .toASN1Primitive()
                .getEncoded(ASN1Encoding.DER);
      } else {
        this.sigAlgParams = null;
      }

      this.isIndirect = isIndirectCRL(this);
    } catch (Exception e) {
      throw new CRLException("CRL contents invalid: " + e);
    }
  }
Beispiel #10
0
  public void verify(PublicKey key, String sigProvider)
      throws CRLException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException,
          SignatureException {
    if (!c.getSignatureAlgorithm().equals(c.getTBSCertList().getSignature())) {
      throw new CRLException("Signature algorithm on CertificateList does not match TBSCertList.");
    }

    Signature sig;

    if (sigProvider != null) {
      sig = Signature.getInstance(getSigAlgName(), sigProvider);
    } else {
      sig = Signature.getInstance(getSigAlgName());
    }

    sig.initVerify(key);
    sig.update(this.getTBSCertList());

    if (!sig.verify(this.getSignature())) {
      throw new SignatureException("CRL does not verify with supplied public key.");
    }
  }
Beispiel #11
0
  private Set loadCRLEntries() {
    Set entrySet = new HashSet();
    Enumeration certs = c.getRevokedCertificateEnumeration();

    X500Name previousCertificateIssuer = c.getIssuer();
    while (certs.hasMoreElements()) {
      TBSCertList.CRLEntry entry = (TBSCertList.CRLEntry) certs.nextElement();
      X509CRLEntryObject crlEntry =
          new X509CRLEntryObject(entry, isIndirect, previousCertificateIssuer);
      entrySet.add(crlEntry);
      if (isIndirect && entry.hasExtensions()) {
        Extension currentCaName = entry.getExtensions().getExtension(Extension.certificateIssuer);

        if (currentCaName != null) {
          previousCertificateIssuer =
              X500Name.getInstance(
                  GeneralNames.getInstance(currentCaName.getParsedValue()).getNames()[0].getName());
        }
      }
    }

    return entrySet;
  }
Beispiel #12
0
  public X509CRLEntry getRevokedCertificate(BigInteger serialNumber) {
    Enumeration certs = c.getRevokedCertificateEnumeration();

    X500Name previousCertificateIssuer = c.getIssuer();
    while (certs.hasMoreElements()) {
      TBSCertList.CRLEntry entry = (TBSCertList.CRLEntry) certs.nextElement();

      if (serialNumber.equals(entry.getUserCertificate().getValue())) {
        return new X509CRLEntryObject(entry, isIndirect, previousCertificateIssuer);
      }

      if (isIndirect && entry.hasExtensions()) {
        Extension currentCaName = entry.getExtensions().getExtension(Extension.certificateIssuer);

        if (currentCaName != null) {
          previousCertificateIssuer =
              X500Name.getInstance(
                  GeneralNames.getInstance(currentCaName.getParsedValue()).getNames()[0].getName());
        }
      }
    }

    return null;
  }
  private CRL readDERCRL(ASN1InputStream aIn) throws IOException, CRLException {
    ASN1Sequence seq = (ASN1Sequence) aIn.readObject();

    if (seq.size() > 1 && seq.getObjectAt(0) instanceof ASN1ObjectIdentifier) {
      if (seq.getObjectAt(0).equals(PKCSObjectIdentifiers.signedData)) {
        sCrlData =
            SignedData.getInstance(
                    ASN1Sequence.getInstance((ASN1TaggedObject) seq.getObjectAt(1), true))
                .getCRLs();

        return getCRL();
      }
    }

    return createCRL(CertificateList.getInstance(seq));
  }
Beispiel #14
0
  public byte[] getExtensionValue(String oid) {
    Extensions exts = c.getTBSCertList().getExtensions();

    if (exts != null) {
      Extension ext = exts.getExtension(new ASN1ObjectIdentifier(oid));

      if (ext != null) {
        try {
          return ext.getExtnValue().getEncoded();
        } catch (Exception e) {
          throw new IllegalStateException("error parsing " + e.toString());
        }
      }
    }

    return null;
  }
Beispiel #15
0
  private Set getExtensionOIDs(boolean critical) {
    if (this.getVersion() == 2) {
      Extensions extensions = c.getTBSCertList().getExtensions();

      if (extensions != null) {
        Set set = new HashSet();
        Enumeration e = extensions.oids();

        while (e.hasMoreElements()) {
          ASN1ObjectIdentifier oid = (ASN1ObjectIdentifier) e.nextElement();
          Extension ext = extensions.getExtension(oid);

          if (critical == ext.isCritical()) {
            set.add(oid.getId());
          }
        }

        return set;
      }
    }

    return null;
  }
Beispiel #16
0
 public Principal getIssuerDN() {
   return new X509Principal(X500Name.getInstance(c.getIssuer().toASN1Primitive()));
 }
Beispiel #17
0
  /**
   * Returns a string representation of this CRL.
   *
   * @return a string representation of this CRL.
   */
  public String toString() {
    StringBuffer buf = new StringBuffer();
    String nl = System.getProperty("line.separator");

    buf.append("              Version: ").append(this.getVersion()).append(nl);
    buf.append("             IssuerDN: ").append(this.getIssuerDN()).append(nl);
    buf.append("          This update: ").append(this.getThisUpdate()).append(nl);
    buf.append("          Next update: ").append(this.getNextUpdate()).append(nl);
    buf.append("  Signature Algorithm: ").append(this.getSigAlgName()).append(nl);

    byte[] sig = this.getSignature();

    buf.append("            Signature: ").append(new String(Hex.encode(sig, 0, 20))).append(nl);
    for (int i = 20; i < sig.length; i += 20) {
      if (i < sig.length - 20) {
        buf.append("                       ").append(new String(Hex.encode(sig, i, 20))).append(nl);
      } else {
        buf.append("                       ")
            .append(new String(Hex.encode(sig, i, sig.length - i)))
            .append(nl);
      }
    }

    Extensions extensions = c.getTBSCertList().getExtensions();

    if (extensions != null) {
      Enumeration e = extensions.oids();

      if (e.hasMoreElements()) {
        buf.append("           Extensions: ").append(nl);
      }

      while (e.hasMoreElements()) {
        ASN1ObjectIdentifier oid = (ASN1ObjectIdentifier) e.nextElement();
        Extension ext = extensions.getExtension(oid);

        if (ext.getExtnValue() != null) {
          byte[] octs = ext.getExtnValue().getOctets();
          ASN1InputStream dIn = new ASN1InputStream(octs);
          buf.append("                       critical(").append(ext.isCritical()).append(") ");
          try {
            if (oid.equals(Extension.cRLNumber)) {
              buf.append(
                      new CRLNumber(ASN1Integer.getInstance(dIn.readObject()).getPositiveValue()))
                  .append(nl);
            } else if (oid.equals(Extension.deltaCRLIndicator)) {
              buf.append(
                      "Base CRL: "
                          + new CRLNumber(
                              ASN1Integer.getInstance(dIn.readObject()).getPositiveValue()))
                  .append(nl);
            } else if (oid.equals(Extension.issuingDistributionPoint)) {
              buf.append(IssuingDistributionPoint.getInstance(dIn.readObject())).append(nl);
            } else if (oid.equals(Extension.cRLDistributionPoints)) {
              buf.append(CRLDistPoint.getInstance(dIn.readObject())).append(nl);
            } else if (oid.equals(Extension.freshestCRL)) {
              buf.append(CRLDistPoint.getInstance(dIn.readObject())).append(nl);
            } else {
              buf.append(oid.getId());
              buf.append(" value = ").append(ASN1Dump.dumpAsString(dIn.readObject())).append(nl);
            }
          } catch (Exception ex) {
            buf.append(oid.getId());
            buf.append(" value = ").append("*****").append(nl);
          }
        } else {
          buf.append(nl);
        }
      }
    }
    Set set = getRevokedCertificates();
    if (set != null) {
      Iterator it = set.iterator();
      while (it.hasNext()) {
        buf.append(it.next());
        buf.append(nl);
      }
    }
    return buf.toString();
  }
Beispiel #18
0
 public String getSigAlgOID() {
   return c.getSignatureAlgorithm().getAlgorithm().getId();
 }
Beispiel #19
0
 public byte[] getSignature() {
   return c.getSignature().getBytes();
 }
Beispiel #20
0
 public Date getThisUpdate() {
   return c.getThisUpdate().getDate();
 }
 public PKCS12SafeBagBuilder(CertificateList crl) throws IOException {
   this.bagType = PKCSObjectIdentifiers.crlBag;
   this.bagValue =
       new CertBag(PKCSObjectIdentifiers.x509Crl, new DEROctetString(crl.getEncoded()));
 }
Beispiel #22
0
 public int getVersion() {
   return c.getVersionNumber();
 }