List of usage examples for java.security.cert X509CRL getIssuerX500Principal
public X500Principal getIssuerX500Principal()
From source file:mitm.common.security.crl.GenerateTestCRLs.java
@Test public void testGenerateRootEmptyCRL() throws Exception { X509CRLBuilder crlGenerator = createX509CRLBuilder(); Date thisDate = TestUtils.parseDate("30-Nov-2007 11:38:35 GMT"); Date nextDate = TestUtils.parseDate("30-Nov-2027 11:38:35 GMT"); crlGenerator.setThisUpdate(thisDate); crlGenerator.setNextUpdate(nextDate); crlGenerator.setSignatureAlgorithm("SHA256WithRSAEncryption"); X509CRL crl = crlGenerator.generateCRL(new KeyAndCertificateImpl(rootPrivateKey, rootCertificate)); assertEquals("EMAILADDRESS=root@example.com, CN=MITM Test Root, L=Amsterdam, ST=NH, C=NL", crl.getIssuerX500Principal().toString()); assertEquals(thisDate, crl.getThisUpdate()); assertEquals(nextDate, crl.getNextUpdate()); assertNull(crl.getRevokedCertificates()); assertFalse(crl.isRevoked(caCertificate)); File crlFile = new File("test/tmp/test-generate-root-empty.crl"); FileOutputStream fos = new FileOutputStream(crlFile); IOUtils.write(crl.getEncoded(), fos); fos.close();//from w ww. ja v a2 s . com }
From source file:mitm.common.security.crl.GenerateTestCRLs.java
@Test public void testGenerateRootRevokedCRL() throws Exception { X509CRLBuilder crlGenerator = createX509CRLBuilder(); Date thisDate = TestUtils.parseDate("30-Nov-2007 11:38:35 GMT"); Date nextDate = TestUtils.parseDate("30-Nov-2027 11:38:35 GMT"); crlGenerator.setThisUpdate(thisDate); crlGenerator.setNextUpdate(nextDate); crlGenerator.setSignatureAlgorithm("SHA256WithRSAEncryption"); crlGenerator.addCRLEntry(caCertificate.getSerialNumber(), thisDate, CRLReason.cACompromise); X509CRL crl = crlGenerator.generateCRL(new KeyAndCertificateImpl(rootPrivateKey, rootCertificate)); assertEquals("EMAILADDRESS=root@example.com, CN=MITM Test Root, L=Amsterdam, ST=NH, C=NL", crl.getIssuerX500Principal().toString()); assertEquals(thisDate, crl.getThisUpdate()); assertEquals(nextDate, crl.getNextUpdate()); assertEquals(1, crl.getRevokedCertificates().size()); assertTrue(crl.isRevoked(caCertificate)); File crlFile = new File("test/tmp/test-generate-root-ca-revoked.crl"); FileOutputStream fos = new FileOutputStream(crlFile); IOUtils.write(crl.getEncoded(), fos); fos.close();//w w w. j av a 2 s . c o m }
From source file:mitm.common.security.crl.GenerateTestCRLs.java
@Test public void testGenerateCACRLSignedByIncorrectKey() throws Exception { X509CRLBuilder crlGenerator = createX509CRLBuilder(); Date thisDate = TestUtils.parseDate("30-Nov-2007 11:38:35 GMT"); Date nextDate = TestUtils.parseDate("30-Nov-2027 11:38:35 GMT"); crlGenerator.setThisUpdate(thisDate); crlGenerator.setNextUpdate(nextDate); crlGenerator.setSignatureAlgorithm("SHA256WithRSAEncryption"); X509Certificate certificate = TestUtils .loadCertificate("test/resources/testdata/certificates/" + "valid_certificate_mitm_test_ca.cer"); assertNotNull(certificate);/*from w ww. ja va 2s . co m*/ crlGenerator.addCRLEntry(certificate.getSerialNumber(), thisDate, CRLReason.privilegeWithdrawn); String encodedPrivateKey = "30820276020100300d06092a864886f70d0101010500048202603082025c" + "02010002818100a9fee3017954c99b248d1486830c71b2e0ea3f9b7a2763" + "1bed8a731f5bd7e1edf856bc3fb7c63dedbeb5bb0de474e7792b3aa7e7b2" + "274c03a47c7d89b1935eaef172c6395f2322f1ed9e61ae46d716b4b4394c" + "1a802db05a2d7c3d1d41a3e8afc65ff8dada7414744f1ee1540e50ee7fb8" + "db437b20c5ee33a82b9d575cfbc951020301000102818004f84ab2b45562" + "3f82e60cff91bd3f65b765a1ce6dd7d0f1f413e421ba91a92d47e161478b" + "9be41b9b43bce03f199bdad304b7fbf21d6bff7f439477fe150ce38c312f" + "c015f3c89291aaa42c4c106f623dfd9f76acad2f1c77b590f038ffbb25f9" + "14b6f7ead769808ddd0e2d648442620b50518d9b7fb132b2fa1fa3e9d628" + "41024100e69ab3765120d0e0ba5dc21bf384b2f553211b4b1902175454c6" + "2f1b0f8ad385d78490539308c9fd5145ae36cc2a6d364fdd97d83d9b6623" + "a987db239e716055024100bcb77acf1e9829ab5b2c9a5e73d343db857474" + "a529ba52ca256655eb7d760e85d3c68eec9500e3db0494c8f77cb8058593" + "6e52a9290149367392d74ecdc3510d024100bd15723b7cb024b56ffabad3" + "c26c3774f2b1bdb8690c0ee7060feec6088b737f56450b368be4740332e5" + "a8c0a3cdd1f8eba9adfd101ee0b43329036584604075024055465b9a27ea" + "fe394e33b375a6c4fa4ec1d943b4364cd9883aaa297d05ee48d5b4426ee6" + "fcd5b02091cb619c63a10bedb6170e071e5e5464e4889ffe1e007a290240" + "7b60d23994a2ec38db909678446ed56d32455bf684141b9ee0aec68b2025" + "1d4d94fd2beebf02074559b811ae1130d2e2aa3bec2e9bccb06969104856" + "00c70759"; PrivateKey privateKey = decodePrivateKey(encodedPrivateKey); // sign not by the caPrivateKey but by some other key X509CRL crl = crlGenerator.generateCRL(new KeyAndCertificateImpl(privateKey, caCertificate)); assertEquals("EMAILADDRESS=ca@example.com, CN=MITM Test CA, L=Amsterdam, ST=NH, C=NL", crl.getIssuerX500Principal().toString()); assertEquals(thisDate, crl.getThisUpdate()); assertEquals(nextDate, crl.getNextUpdate()); assertEquals(1, crl.getRevokedCertificates().size()); assertTrue(crl.isRevoked(certificate)); File crlFile = new File("test/tmp/test-generate-ca-signed-incorrect-key.crl"); FileOutputStream fos = new FileOutputStream(crlFile); IOUtils.write(crl.getEncoded(), fos); fos.close(); }
From source file:eu.europa.ec.markt.dss.signature.xades.XAdESProfileC.java
private void incorporateCRLRefs(CompleteRevocationRefsType completeRevocationRefs, ValidationContext ctx) { if (!ctx.getNeededCRL().isEmpty()) { CRLRefsType crlRefs = xadesObjectFactory.createCRLRefsType(); completeRevocationRefs.setCRLRefs(crlRefs); List<CRLRefType> crlRefList = crlRefs.getCRLRef(); for (X509CRL crl : ctx.getNeededCRL()) { try { CRLRefType crlRef = xadesObjectFactory.createCRLRefType(); CRLIdentifierType crlIdentifier = xadesObjectFactory.createCRLIdentifierType(); crlRef.setCRLIdentifier(crlIdentifier); String issuerName = crl.getIssuerX500Principal().getName(); crlIdentifier.setIssuer(issuerName); GregorianCalendar cal = (GregorianCalendar) GregorianCalendar.getInstance(); cal.setTime(crl.getThisUpdate()); crlIdentifier.setIssueTime(this.datatypeFactory.newXMLGregorianCalendar(cal)); // crlIdentifier.setNumber(getCrlNumber(encodedCrl)); DigestAlgAndValueType digestAlgAndValue = getDigestAlgAndValue(crl.getEncoded(), DigestAlgorithm.SHA1); crlRef.setDigestAlgAndValue(digestAlgAndValue); crlRefList.add(crlRef);/*w ww .j a va2 s . co m*/ } catch (CRLException ex) { throw new RuntimeException(ex); } } } }
From source file:eu.europa.ec.markt.dss.signature.cades.CAdESProfileC.java
/** * Create a reference to a X509CRL/*from w w w.j a va 2 s.c o m*/ * * @param crl * @return * @throws NoSuchAlgorithmException * @throws CRLException */ private CrlValidatedID makeCrlValidatedID(X509CRL crl) throws NoSuchAlgorithmException, CRLException { MessageDigest sha1digest = MessageDigest.getInstance(X509ObjectIdentifiers.id_SHA1.getId(), new BouncyCastleProvider()); OtherHash hash = new OtherHash(sha1digest.digest(crl.getEncoded())); BigInteger crlnumber; CrlIdentifier crlid; if (crl.getExtensionValue("2.5.29.20") != null) { crlnumber = new DERInteger(crl.getExtensionValue("2.5.29.20")).getPositiveValue(); crlid = new CrlIdentifier(new X500Name(crl.getIssuerX500Principal().getName()), new DERUTCTime(crl.getThisUpdate()), crlnumber); } else { crlid = new CrlIdentifier(new X500Name(crl.getIssuerX500Principal().getName()), new DERUTCTime(crl.getThisUpdate())); } CrlValidatedID crlvid = new CrlValidatedID(hash, crlid); return crlvid; }
From source file:be.fedict.trust.service.bean.DownloaderMDB.java
private void processColdStartMessage(ColdStartMessage coldStartMessage) { if (null == coldStartMessage) { return;/* w ww . ja v a 2s . c om*/ } String crlUrl = coldStartMessage.getCrlUrl(); String certUrl = coldStartMessage.getCertUrl(); LOG.debug("cold start CRL URL: " + crlUrl); LOG.debug("cold start CA URL: " + certUrl); File crlFile = download(crlUrl); File certFile = download(certUrl); // parsing CertificateFactory certificateFactory; try { certificateFactory = CertificateFactory.getInstance("X.509"); } catch (CertificateException e) { LOG.debug("certificate factory error: " + e.getMessage(), e); crlFile.delete(); certFile.delete(); return; } X509Certificate certificate = null; try { certificate = (X509Certificate) certificateFactory.generateCertificate(new FileInputStream(certFile)); } catch (Exception e) { LOG.debug("error DER-parsing certificate"); try { PEMReader pemReader = new PEMReader(new FileReader(certFile)); certificate = (X509Certificate) pemReader.readObject(); pemReader.close(); } catch (Exception e2) { retry("error PEM-parsing certificate", e, certFile, crlFile); } } certFile.delete(); X509CRL crl = null; try { crl = (X509CRL) certificateFactory.generateCRL(new FileInputStream(crlFile)); } catch (Exception e) { retry("error parsing CRL", e, crlFile); } // first check whether the two correspond try { crl.verify(certificate.getPublicKey()); } catch (Exception e) { LOG.error("no correspondence between CRL and CA"); LOG.error("CRL issuer: " + crl.getIssuerX500Principal()); LOG.debug("CA subject: " + certificate.getSubjectX500Principal()); crlFile.delete(); return; } LOG.debug("CRL matches CA: " + certificate.getSubjectX500Principal()); // skip expired CAs Date now = new Date(); Date notAfter = certificate.getNotAfter(); if (now.after(notAfter)) { LOG.warn("CA already expired: " + certificate.getSubjectX500Principal()); crlFile.delete(); return; } // create database entitities CertificateAuthorityEntity certificateAuthority = this.certificateAuthorityDAO .findCertificateAuthority(certificate); if (null != certificateAuthority) { LOG.debug("CA already in cache: " + certificate.getSubjectX500Principal()); crlFile.delete(); return; } /* * Lookup Root CA's trust point via parent certificates' CA entity. */ LOG.debug( "Lookup Root CA's trust point via parent certificates' CA entity - Don't have Issuer's Serial Number??"); String parentIssuerName = certificate.getIssuerX500Principal().toString(); CertificateAuthorityEntity parentCertificateAuthority = this.certificateAuthorityDAO .findCertificateAuthority(parentIssuerName); if (null == parentCertificateAuthority) { LOG.error("CA not found for " + parentIssuerName + " ?!"); crlFile.delete(); return; } LOG.debug("parent CA: " + parentCertificateAuthority.getName()); TrustPointEntity parentTrustPoint = parentCertificateAuthority.getTrustPoint(); if (null != parentTrustPoint) { LOG.debug("trust point parent: " + parentTrustPoint.getName()); LOG.debug("previous trust point fire data: " + parentTrustPoint.getFireDate()); } else { LOG.debug("no parent trust point"); } // create new CA certificateAuthority = this.certificateAuthorityDAO.addCertificateAuthority(certificate, crlUrl); // prepare harvesting certificateAuthority.setTrustPoint(parentTrustPoint); certificateAuthority.setStatus(Status.PROCESSING); if (null != certificateAuthority.getTrustPoint() && null == certificateAuthority.getTrustPoint().getFireDate()) { try { this.schedulingService.startTimer(certificateAuthority.getTrustPoint()); } catch (InvalidCronExpressionException e) { LOG.error("invalid cron expression"); crlFile.delete(); return; } } // notify harvester String crlFilePath = crlFile.getAbsolutePath(); try { this.notificationService.notifyHarvester(certificate.getSubjectX500Principal().toString(), crlFilePath, false); } catch (JMSException e) { crlFile.delete(); throw new RuntimeException(e); } }
From source file:eu.europa.ec.markt.dss.validation.SignedDocumentValidator.java
/** * For level -XL, every X509CRL values contained in the ValidationContext must be in the RevocationValues of the * signature// w w w.j a v a2s .c om * * @param ctx * @param refs * @param signingCert * @return */ protected boolean everyCRLValueOrRefAreThere(ValidationContext ctx, List<?> crlValuesOrRef) { for (X509CRL crl : ctx.getNeededCRL()) { LOG.info("Looking for CRL ref issued by " + crl.getIssuerX500Principal()); boolean found = false; for (Object valueOrRef : crlValuesOrRef) { if (valueOrRef instanceof X509CRL) { X509CRL sigCRL = (X509CRL) valueOrRef; if (sigCRL.equals(crl)) { found = true; break; } } if (valueOrRef instanceof CRLRef) { CRLRef ref = (CRLRef) valueOrRef; if (ref.match(crl)) { found = true; break; } } } LOG.info("Ref " + (found ? " found" : " not found")); if (!found) { return false; } } return true; }
From source file:mitm.common.security.crl.PKIXRevocationChecker.java
private boolean acceptCRL_6_3_3_b(X509Certificate targetCertificate, X509CRL crl) throws IOException { boolean match = false; if (X509CRLInspector.isDeltaCRL(crl)) { /* CRL is not complete because it's a delta CRL */ return false; }//from www . j a v a2 s. co m if (!crl.getIssuerX500Principal().equals(targetCertificate.getIssuerX500Principal())) { logger.debug("CRL issuer and certificate issuer do not match."); return false; } IssuingDistributionPoint idp = X509CRLInspector.getIssuingDistributionPoint(crl); /* if there is no IssuingDistributionPoint there is always a match */ if (idp == null) { return true; } DistributionPointName idpn = idp.getDistributionPoint(); CRLDistPoint crlDistPoint = X509CertificateInspector.getCRLDistibutionPoints(targetCertificate); DistributionPoint[] dps = null; if (crlDistPoint != null) { dps = crlDistPoint.getDistributionPoints(); } if (dps != null) { for (DistributionPoint dp : dps) { if (dp == null) { logger.debug("Distributionpoint is null."); continue; } if (dp.getCRLIssuer() != null) { /* we do not support indirect CRLs */ logger.debug("CRL issuer should only be used for indirect CRLs."); continue; } DistributionPointName dpn = dp.getDistributionPoint(); if (idp != null) { if (idpn != null && dpn != null) { X500Principal issuer = targetCertificate.getIssuerX500Principal(); if (hasMatchingName(idpn, dpn, issuer)) { match = true; break; } } } } if (!match) { logger.debug("The CRL did not contain matching DistributionPoint names."); } } else { match = (idpn == null); } BasicConstraints basicConstraints = X509CertificateInspector.getBasicConstraints(targetCertificate); if (idp != null) { /* if basicConstraints is null assume it's a user certificate */ if (idp.onlyContainsCACerts() && ((basicConstraints != null && !basicConstraints.isCA()) | basicConstraints == null)) { logger.debug("Certificate is a user certificate but CRL only contains CA certificate."); match = false; } if (idp.onlyContainsUserCerts() && basicConstraints != null && basicConstraints.isCA()) { logger.debug("Certificate is a CA but CRL only contains user certificates."); match = false; } if (idp.onlyContainsAttributeCerts()) { logger.debug("Certificate only contains attribute certs."); match = false; } } return match; }
From source file:mitm.common.security.crl.PKIXRevocationChecker.java
private boolean preFilter(X509Certificate targetCertificate, X509CRL crl) throws IOException { IssuingDistributionPoint idp = X509CRLInspector.getIssuingDistributionPoint(crl); if (idp != null) { if (idp.isIndirectCRL()) { logger.debug("CRL is indirect."); return false; }/*from w w w . jav a 2 s . c o m*/ } if (!crl.getIssuerX500Principal().equals(targetCertificate.getIssuerX500Principal())) { logger.debug("CRL issuer and certificate issuer do not match."); return false; } return true; }
From source file:eu.europa.esig.dss.xades.signature.XAdESLevelC.java
private void incorporateCRLRefs(Element completeRevocationRefsDom, final Set<RevocationToken> processedRevocationTokens) throws DSSException { if (processedRevocationTokens.isEmpty()) { return;/*from ww w . j av a2 s . c om*/ } boolean containsCrlToken = false; for (RevocationToken revocationToken : processedRevocationTokens) { containsCrlToken = revocationToken instanceof CRLToken; if (containsCrlToken) { break; } } if (!containsCrlToken) { return; } // <xades:CRLRefs> // ...<xades:CRLRef> // ......<xades:DigestAlgAndValue> // .........<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> // .........<ds:DigestValue>G+z+DaZ6X44wEOueVYvZGmTh4dBkjjctKxcJYEV4HmU=</ds:DigestValue> // ......</xades:DigestAlgAndValue> // ......<xades:CRLIdentifier URI="LevelACAOK.crl"> // ...<xades:Issuer>CN=LevelACAOK,OU=Plugtests_STF-428_2011-2012,O=ETSI,C=FR</xades:Issuer> // ...<xades:IssueTime>2012-03-13T13:58:28.000-03:00</xades:IssueTime> // ...<xades:Number>4415260066222</xades:Number> final Element crlRefsDom = DSSXMLUtils.addElement(documentDom, completeRevocationRefsDom, XAdESNamespaces.XAdES, "xades:CRLRefs"); for (final RevocationToken revocationToken : processedRevocationTokens) { if (revocationToken instanceof CRLToken) { final X509CRL crl = ((CRLToken) revocationToken).getX509crl(); final Element crlRefDom = DSSXMLUtils.addElement(documentDom, crlRefsDom, XAdESNamespaces.XAdES, "xades:CRLRef"); final Element digestAlgAndValueDom = DSSXMLUtils.addElement(documentDom, crlRefDom, XAdESNamespaces.XAdES, "xades:DigestAlgAndValue"); // TODO: to be added as field to eu.europa.esig.dss.AbstractSignatureParameters. DigestAlgorithm digestAlgorithm = DigestAlgorithm.SHA1; incorporateDigestMethod(digestAlgAndValueDom, digestAlgorithm); final InMemoryDocument inMemoryDocument = new InMemoryDocument(revocationToken.getEncoded()); incorporateDigestValue(digestAlgAndValueDom, digestAlgorithm, inMemoryDocument); final Element crlIdentifierDom = DSSXMLUtils.addElement(documentDom, crlRefDom, XAdESNamespaces.XAdES, "xades:CRLIdentifier"); // crlIdentifierDom.setAttribute("URI",".crl"); final String issuerX500PrincipalName = crl.getIssuerX500Principal().getName(); DSSXMLUtils.addTextElement(documentDom, crlIdentifierDom, XAdESNamespaces.XAdES, "xades:Issuer", issuerX500PrincipalName); final Date thisUpdate = crl.getThisUpdate(); XMLGregorianCalendar xmlGregorianCalendar = DSSXMLUtils.createXMLGregorianCalendar(thisUpdate); final String thisUpdateAsXmlFormat = xmlGregorianCalendar.toXMLFormat(); DSSXMLUtils.addTextElement(documentDom, crlIdentifierDom, XAdESNamespaces.XAdES, "xades:IssueTime", thisUpdateAsXmlFormat); // DSSXMLUtils.addTextElement(documentDom, crlRefDom, XAdESNamespaces.XAdES, "xades:Number", ???); } } }