List of usage examples for java.security.cert X509CRLSelector addIssuer
public void addIssuer(X500Principal issuer)
From source file:mitm.common.security.crl.CRLLocator.java
public List<X509CRL> findCRLs(X509Certificate issuer) throws NoSuchProviderException { List<X509CRL> crls = new LinkedList<X509CRL>(); X509CRLSelector crlSelector = new X509CRLSelector(); crlSelector.addIssuer(issuer.getSubjectX500Principal()); /* //www. j a v a 2 s . co m * step through all the stores and get all the relevant CRLs from the stores */ for (BasicCRLStore store : crlStores) { try { CloseableIterator<? extends CRL> crlIterator = store.getCRLIterator(crlSelector); try { while (crlIterator.hasNext()) { CRL crl = crlIterator.next(); if (!(crl instanceof X509CRL)) { logger.warn("Only X509CRLs are supported. Skipping this CRL."); continue; } X509CRL x509CRL = (X509CRL) crl; if (acceptCRL(issuer, x509CRL)) { crls.add(x509CRL); } } } finally { crlIterator.close(); } } catch (CRLStoreException e) { /* * log and continue search * */ logger.error("Error getting CRLs. Skipping this store.", e); continue; } catch (CloseableIteratorException e) { /* * log and continue search */ logger.error("Error stepping through the CRL store. Skipping this store.", e); continue; } } return crls; }
From source file:mitm.common.security.crl.PKIXRevocationChecker.java
private DeltaCRLStatus getDeltaCRLStatus(X509Certificate targetCertificate, X509CRL deltaCRL, PublicKey issuerPublicKey, Date now) throws NoSuchProviderException { DeltaCRLStatus status = DeltaCRLStatus.UNKNOWN; BigInteger baseCRLNumber;/*from w w w. j ava 2s.co m*/ try { baseCRLNumber = X509CRLInspector.getDeltaIndicator(deltaCRL); } catch (IOException e) { logger.error("Error getting base CRL number", e); return DeltaCRLStatus.UNKNOWN; } X509CRLSelector crlSelector = new X509CRLSelector(); /* We need to find a valid base CRL with the same issuer as the delta CRL */ crlSelector.addIssuer(deltaCRL.getIssuerX500Principal()); /* * we need to find a baseCRL with at least a CRL number specified by the DeltaCRLIndicator in * the delta CRL */ crlSelector.setMinCRLNumber(baseCRLNumber); BigInteger deltaCRLNumber = null; try { deltaCRLNumber = X509CRLInspector.getCRLNumber(deltaCRL); } catch (IOException e) { logger.error("Error getting CRLNumber extension from the delta CRL.", e); } if (deltaCRLNumber != null) { /* * the base CRL we need to find should have a CRL number less than the delta CRL * otherwise it cannot be a base for this delta CRL */ crlSelector.setMaxCRLNumber(deltaCRLNumber.subtract(BigInteger.valueOf(1))); List<X509CRL> crls = findCRLs(targetCertificate, crlSelector, issuerPublicKey, now); for (X509CRL baseCRL : crls) { try { if (checkDeltaCRL_6_3_3_b(targetCertificate, deltaCRL, baseCRL)) { status = DeltaCRLStatus.OK; break; } } catch (IOException e) { logger.error("Error executing checkDeltaCRL_6_3_3_b.", e); continue; } if (hasUnsupportedCriticalExtensions(baseCRL)) { logger.warn("The base CRL has unsupported critical extensions."); status = DeltaCRLStatus.UNSUPPORTED_CRITICAL_EXTENSION; continue; } } } return status; }
From source file:mitm.common.security.crl.PKIXRevocationChecker.java
@Override public RevocationResult getRevocationStatus(CertPath certPath, TrustAnchor trustAnchor, Date now) throws CRLException { Check.notNull(certPath, "certPath"); Check.notNull(trustAnchor, "trustAnchor"); List<? extends Certificate> certificates = certPath.getCertificates(); RevocationResult revocationResult = new RevocationResultImpl(certificates.size()); /* /* www . jav a 2 s . c o m*/ * Step through all the certificates in the path and check the revocation status of all * the certificates in the path. */ for (int i = 0; i < certificates.size(); i++) { X509Certificate certificate = toX509Certificate(certificates.get(i)); PublicKey issuerPublicKey; X500Principal issuer; X509Certificate issuerCertificate; /* * we need to get the issuer of the current certificate * check if there is a next certificate in the path or that we must use the TrustAnchor */ if ((i + 1) == certificates.size()) { /* this was the last entry from the path so we must use the trust anchor */ if (trustAnchor.getTrustedCert() != null) { issuerCertificate = toX509Certificate(trustAnchor.getTrustedCert()); issuerPublicKey = issuerCertificate.getPublicKey(); issuer = issuerCertificate.getSubjectX500Principal(); } else { /* the TrustAnchor does not contain a certificate but only an issuer and public key */ issuerCertificate = null; issuerPublicKey = trustAnchor.getCAPublicKey(); issuer = trustAnchor.getCA(); } } else { /* get next entry from path ie. the issuer of the current certificate */ issuerCertificate = toX509Certificate(certificates.get(i + 1)); issuerPublicKey = issuerCertificate.getPublicKey(); issuer = issuerCertificate.getSubjectX500Principal(); } /* * sanity check to make sure the CertPath is ordered from end -> final CA * ie that the next certificate signed the previous certificate */ verifyCertificate(certificate, issuerPublicKey); /* * Sanity check. The issuer principal field of the certificate currently checked should * normally be equal to the issuer principal. */ if (!certificate.getIssuerX500Principal().equals(issuer)) { logger.warn("Certificate issuer field is not equal to issuer."); } if (issuerCertificate != null) { Set<KeyUsageType> keyUsage = X509CertificateInspector.getKeyUsage(issuerCertificate); /* * check if issuer is allowed to issue CRLs (only when we have an issuerCertificate, and * a key usage extension) */ if (keyUsage != null && !keyUsage.contains(KeyUsageType.CRLSIGN)) { logger.debug("Issuer is not allowed to issue CRLs."); /* * We will return UNKNOWN status. */ RevocationDetailImpl detail = new RevocationDetailImpl(RevocationStatus.UNKNOWN); revocationResult.getDetails()[i] = detail; /* there is no need to continue because issuer is not allowed to issue CRLs */ break; } } X509CRLSelector crlSelector = new X509CRLSelector(); /* create a selector to find all relevant CRLs that were issued to the same issuer as the certificate */ crlSelector.addIssuer(issuer); try { List<X509CRL> crls = findCRLs(certificate, crlSelector, issuerPublicKey, now); RevocationDetail detail = getRevocationDetail(crls, certificate, issuerCertificate, issuerPublicKey, now); revocationResult.getDetails()[i] = detail; if (detail.getStatus() == RevocationStatus.REVOKED) { logger.warn("Certificate is revoked."); if (logger.isDebugEnabled()) { logger.debug("Revoked certificate: " + certificate); } /* there is no need to continue because the CRL is revoked */ break; } } catch (NoSuchProviderException e) { throw new NoSuchProviderRuntimeException(e); } } if (logger.isDebugEnabled()) { logger.debug("Revocation status for CertPath " + certPath + " and TrustAnchor " + trustAnchor + " is " + revocationResult); } return revocationResult; }