예제 #1
0
 /**
  * Returns whether the specified object equals to this instance.
  *
  * @param other the object to compare.
  * @return {@code true} if the specified object equals to this instance, otherwise {@code false}.
  */
 public boolean equals(Object other) {
   if (other == this) {
     return true;
   }
   if (!(other instanceof X509CRLEntry)) {
     return false;
   }
   X509CRLEntry obj = (X509CRLEntry) other;
   try {
     return Arrays.equals(getEncoded(), obj.getEncoded());
   } catch (CRLException e) {
     return false;
   }
 }
 /** @return the revocation reason code as defined in RevokedCertInfo.REVOCATION_REASON_... */
 public static int extractReasonCode(final X509CRLEntry crlEntry) {
   int reasonCode = RevokedCertInfo.REVOCATION_REASON_UNSPECIFIED;
   if (crlEntry.hasExtensions()) {
     final byte[] extensionValue = crlEntry.getExtensionValue(Extension.reasonCode.getId());
     try {
       final ASN1Enumerated reasonCodeExtension =
           ASN1Enumerated.getInstance(X509ExtensionUtil.fromExtensionValue(extensionValue));
       if (reasonCodeExtension != null) {
         reasonCode = reasonCodeExtension.getValue().intValue();
       }
     } catch (IOException e) {
       log.debug("Failed to parse reason code of CRLEntry: " + e.getMessage());
     }
   }
   return reasonCode;
 }
  protected static void getCertStatus(
      Date validDate, X509CRL crl, Object cert, CertStatus certStatus) throws AnnotatedException {
    X509CRLEntry crl_entry = null;

    boolean isIndirect;
    try {
      isIndirect = X509CRLObject.isIndirectCRL(crl);
    } catch (CRLException exception) {
      throw new AnnotatedException("Failed check for indirect CRL.", exception);
    }

    if (isIndirect) {
      crl_entry = crl.getRevokedCertificate(getSerialNumber(cert));

      if (crl_entry == null) {
        return;
      }

      X500Principal certIssuer = crl_entry.getCertificateIssuer();

      if (certIssuer == null) {
        certIssuer = getIssuerPrincipal(crl);
      }

      if (!getEncodedIssuerPrincipal(cert).equals(certIssuer)) {
        return;
      }
    } else if (!getEncodedIssuerPrincipal(cert).equals(getIssuerPrincipal(crl))) {
      return; // not for our issuer, ignore
    } else {
      crl_entry = crl.getRevokedCertificate(getSerialNumber(cert));

      if (crl_entry == null) {
        return;
      }
    }

    DEREnumerated reasonCode = null;
    if (crl_entry.hasExtensions()) {
      try {
        reasonCode =
            DEREnumerated.getInstance(
                CertPathValidatorUtilities.getExtensionValue(
                    crl_entry, X509Extension.reasonCode.getId()));
      } catch (Exception e) {
        throw new AnnotatedException("Reason code CRL entry extension could not be decoded.", e);
      }
    }

    // for reason keyCompromise, caCompromise, aACompromise or
    // unspecified
    if (!(validDate.getTime() < crl_entry.getRevocationDate().getTime())
        || reasonCode == null
        || reasonCode.getValue().intValue() == 0
        || reasonCode.getValue().intValue() == 1
        || reasonCode.getValue().intValue() == 2
        || reasonCode.getValue().intValue() == 8) {

      // (i) or (j) (1)
      if (reasonCode != null) {
        certStatus.setCertStatus(reasonCode.getValue().intValue());
      }
      // (i) or (j) (2)
      else {
        certStatus.setCertStatus(CRLReason.unspecified);
      }
      certStatus.setRevocationDate(crl_entry.getRevocationDate());
    }
  }
  /** Test revocation and reactivation of certificates */
  @Test
  public void testRevokeAndUnrevoke() throws Exception {

    X509Certificate cert = createCert();
    try {
      // Create a new CRL again...
      assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId()));
      // Check that our newly signed certificate is not present in a new CRL
      byte[] crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false);
      assertNotNull("Could not get CRL", crl);
      X509CRL x509crl = CertTools.getCRLfromByteArray(crl);
      Set<? extends X509CRLEntry> revset = x509crl.getRevokedCertificates();
      if (revset != null) {
        Iterator<? extends X509CRLEntry> iter = revset.iterator();
        while (iter.hasNext()) {
          X509CRLEntry ce = iter.next();
          assertTrue(ce.getSerialNumber().compareTo(cert.getSerialNumber()) != 0);
        }
      } // If no revoked certificates exist at all, this test passed...

      certificateStoreSession.setRevokeStatus(
          roleMgmgToken, cert, RevokedCertInfo.REVOCATION_REASON_CERTIFICATEHOLD, null);
      // Create a new CRL again...
      assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId()));
      // Check that our newly signed certificate IS present in a new CRL
      crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false);
      assertNotNull("Could not get CRL", crl);
      x509crl = CertTools.getCRLfromByteArray(crl);
      revset = x509crl.getRevokedCertificates();
      assertNotNull(revset);
      Iterator<? extends X509CRLEntry> iter = revset.iterator();
      boolean found = false;
      while (iter.hasNext()) {
        X509CRLEntry ce = iter.next();
        if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) {
          found = true;
          // TODO: verify the reason code
        }
      }
      assertTrue(
          "Certificate with serial " + cert.getSerialNumber().toString(16) + " not revoked", found);

      // Unrevoke the certificate that we just revoked
      certificateStoreSession.setRevokeStatus(
          roleMgmgToken, cert, RevokedCertInfo.NOT_REVOKED, null);
      // Create a new CRL again...
      assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId()));
      // Check that our newly signed certificate IS NOT present in the new
      // CRL.
      crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false);
      assertNotNull("Could not get CRL", crl);
      x509crl = CertTools.getCRLfromByteArray(crl);
      revset = x509crl.getRevokedCertificates();
      if (revset != null) {
        iter = revset.iterator();
        found = false;
        while (iter.hasNext()) {
          X509CRLEntry ce = iter.next();
          if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) {
            found = true;
          }
        }
        assertFalse(found);
      } // If no revoked certificates exist at all, this test passed...

      certificateStoreSession.setRevokeStatus(
          roleMgmgToken, cert, RevokedCertInfo.REVOCATION_REASON_CACOMPROMISE, null);
      assertTrue(
          "Failed to revoke certificate!",
          certificateStoreSession.isRevoked(
              CertTools.getIssuerDN(cert), CertTools.getSerialNumber(cert)));
      // Create a new CRL again...
      assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId()));
      // Check that our newly signed certificate IS present in a new CRL
      crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false);
      assertNotNull("Could not get CRL", crl);
      x509crl = CertTools.getCRLfromByteArray(crl);
      revset = x509crl.getRevokedCertificates();
      iter = revset.iterator();
      found = false;
      while (iter.hasNext()) {
        X509CRLEntry ce = (X509CRLEntry) iter.next();
        if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) {
          found = true;
          // TODO: verify the reason code
        }
      }
      assertTrue(found);

      certificateStoreSession.setRevokeStatus(
          roleMgmgToken, cert, RevokedCertInfo.NOT_REVOKED, null);
      assertTrue(
          "Was able to re-activate permanently revoked certificate!",
          certificateStoreSession.isRevoked(
              CertTools.getIssuerDN(cert), CertTools.getSerialNumber(cert)));
      // Create a new CRL again...
      assertTrue(publishingCrlSessionRemote.forceCRL(roleMgmgToken, testx509ca.getCAId()));
      // Check that our newly signed certificate is present in the new CRL,
      // because the revocation reason
      // was not CERTIFICATE_HOLD, we can only un-revoke certificates that are
      // on hold.
      crl = crlStoreSession.getLastCRL(testx509ca.getSubjectDN(), false);
      assertNotNull("Could not get CRL", crl);
      x509crl = CertTools.getCRLfromByteArray(crl);
      revset = x509crl.getRevokedCertificates();
      iter = revset.iterator();
      found = false;
      while (iter.hasNext()) {
        X509CRLEntry ce = (X509CRLEntry) iter.next();
        if (ce.getSerialNumber().compareTo(cert.getSerialNumber()) == 0) {
          found = true;
        }
      }
      assertTrue(found);
    } finally {
      internalCertificateStoreSession.removeCertificate(cert);
    }
  }