Java tutorial
package org.bouncycastle.x509; import java.io.IOException; import java.math.BigInteger; import java.security.GeneralSecurityException; import java.security.InvalidKeyException; import java.security.NoSuchAlgorithmException; import java.security.NoSuchProviderException; import java.security.PrivateKey; import java.security.SecureRandom; import java.security.SignatureException; import java.security.cert.CRLException; import java.security.cert.X509CRL; import java.security.cert.X509CRLEntry; import java.util.Date; import java.util.Iterator; import java.util.Set; import javax.security.auth.x500.X500Principal; import org.bouncycastle.asn1.ASN1Encodable; import org.bouncycastle.asn1.ASN1EncodableVector; import org.bouncycastle.asn1.ASN1GeneralizedTime; import org.bouncycastle.asn1.ASN1InputStream; import org.bouncycastle.asn1.ASN1Integer; import org.bouncycastle.asn1.ASN1ObjectIdentifier; import org.bouncycastle.asn1.ASN1Sequence; import org.bouncycastle.asn1.DERBitString; import org.bouncycastle.asn1.DERSequence; import org.bouncycastle.asn1.x509.AlgorithmIdentifier; import org.bouncycastle.asn1.x509.CertificateList; import org.bouncycastle.asn1.x509.Extensions; import org.bouncycastle.asn1.x509.TBSCertList; import org.bouncycastle.asn1.x509.Time; import org.bouncycastle.asn1.x509.V2TBSCertListGenerator; import org.bouncycastle.asn1.x509.X509Extensions; import org.bouncycastle.asn1.x509.X509ExtensionsGenerator; import org.bouncycastle.asn1.x509.X509Name; import org.bouncycastle.jcajce.util.BCJcaJceHelper; import org.bouncycastle.jcajce.util.JcaJceHelper; import org.bouncycastle.jce.X509Principal; import org.bouncycastle.jce.provider.X509CRLObject; /** * class to produce an X.509 Version 2 CRL. * @deprecated use org.bouncycastle.cert.X509v2CRLBuilder. */ public class X509V2CRLGenerator { private final JcaJceHelper bcHelper = new BCJcaJceHelper(); // needed to force provider loading private V2TBSCertListGenerator tbsGen; private ASN1ObjectIdentifier sigOID; private AlgorithmIdentifier sigAlgId; private String signatureAlgorithm; private X509ExtensionsGenerator extGenerator; public X509V2CRLGenerator() { tbsGen = new V2TBSCertListGenerator(); extGenerator = new X509ExtensionsGenerator(); } /** * reset the generator */ public void reset() { tbsGen = new V2TBSCertListGenerator(); extGenerator.reset(); } /** * Set the issuer distinguished name - the issuer is the entity whose private key is used to sign the * certificate. */ public void setIssuerDN(X500Principal issuer) { try { tbsGen.setIssuer(new X509Principal(issuer.getEncoded())); } catch (IOException e) { throw new IllegalArgumentException("can't process principal: " + e); } } /** * Set the issuer distinguished name - the issuer is the entity whose private key is used to sign the * certificate. */ public void setIssuerDN(X509Name issuer) { tbsGen.setIssuer(issuer); } public void setThisUpdate(Date date) { tbsGen.setThisUpdate(new Time(date)); } public void setNextUpdate(Date date) { tbsGen.setNextUpdate(new Time(date)); } /** * Reason being as indicated by CRLReason, i.e. CRLReason.keyCompromise * or 0 if CRLReason is not to be used **/ public void addCRLEntry(BigInteger userCertificate, Date revocationDate, int reason) { tbsGen.addCRLEntry(new ASN1Integer(userCertificate), new Time(revocationDate), reason); } /** * Add a CRL entry with an Invalidity Date extension as well as a CRLReason extension. * Reason being as indicated by CRLReason, i.e. CRLReason.keyCompromise * or 0 if CRLReason is not to be used **/ public void addCRLEntry(BigInteger userCertificate, Date revocationDate, int reason, Date invalidityDate) { tbsGen.addCRLEntry(new ASN1Integer(userCertificate), new Time(revocationDate), reason, new ASN1GeneralizedTime(invalidityDate)); } /** * Add a CRL entry with extensions. **/ public void addCRLEntry(BigInteger userCertificate, Date revocationDate, X509Extensions extensions) { tbsGen.addCRLEntry(new ASN1Integer(userCertificate), new Time(revocationDate), Extensions.getInstance(extensions)); } /** * Add the CRLEntry objects contained in a previous CRL. * * @param other the X509CRL to source the other entries from. */ public void addCRL(X509CRL other) throws CRLException { Set revocations = other.getRevokedCertificates(); if (revocations != null) { Iterator it = revocations.iterator(); while (it.hasNext()) { X509CRLEntry entry = (X509CRLEntry) it.next(); ASN1InputStream aIn = new ASN1InputStream(entry.getEncoded()); try { tbsGen.addCRLEntry(ASN1Sequence.getInstance(aIn.readObject())); } catch (IOException e) { throw new CRLException("exception processing encoding of CRL: " + e.toString()); } } } } /** * Set the signature algorithm. This can be either a name or an OID, names * are treated as case insensitive. * * @param signatureAlgorithm string representation of the algorithm name. */ public void setSignatureAlgorithm(String signatureAlgorithm) { this.signatureAlgorithm = signatureAlgorithm; try { sigOID = X509Util.getAlgorithmOID(signatureAlgorithm); } catch (Exception e) { throw new IllegalArgumentException("Unknown signature type requested"); } sigAlgId = X509Util.getSigAlgID(sigOID, signatureAlgorithm); tbsGen.setSignature(sigAlgId); } /** * add a given extension field for the standard extensions tag (tag 0) */ public void addExtension(String oid, boolean critical, ASN1Encodable value) { this.addExtension(new ASN1ObjectIdentifier(oid), critical, value); } /** * add a given extension field for the standard extensions tag (tag 0) */ public void addExtension(ASN1ObjectIdentifier oid, boolean critical, ASN1Encodable value) { extGenerator.addExtension(new ASN1ObjectIdentifier(oid.getId()), critical, value); } /** * add a given extension field for the standard extensions tag (tag 0) */ public void addExtension(String oid, boolean critical, byte[] value) { this.addExtension(new ASN1ObjectIdentifier(oid), critical, value); } /** * add a given extension field for the standard extensions tag (tag 0) */ public void addExtension(ASN1ObjectIdentifier oid, boolean critical, byte[] value) { extGenerator.addExtension(new ASN1ObjectIdentifier(oid.getId()), critical, value); } /** * generate an X509 CRL, based on the current issuer and subject * using the default provider "BC". * @deprecated use generate(key, "BC") */ public X509CRL generateX509CRL(PrivateKey key) throws SecurityException, SignatureException, InvalidKeyException { try { return generateX509CRL(key, "BC", null); } catch (NoSuchProviderException e) { throw new SecurityException("BC provider not installed!"); } } /** * generate an X509 CRL, based on the current issuer and subject * using the default provider "BC" and an user defined SecureRandom object as * source of randomness. * @deprecated use generate(key, random, "BC") */ public X509CRL generateX509CRL(PrivateKey key, SecureRandom random) throws SecurityException, SignatureException, InvalidKeyException { try { return generateX509CRL(key, "BC", random); } catch (NoSuchProviderException e) { throw new SecurityException("BC provider not installed!"); } } /** * generate an X509 certificate, based on the current issuer and subject * using the passed in provider for the signing. * @deprecated use generate() */ public X509CRL generateX509CRL(PrivateKey key, String provider) throws NoSuchProviderException, SecurityException, SignatureException, InvalidKeyException { return generateX509CRL(key, provider, null); } /** * generate an X509 CRL, based on the current issuer and subject, * using the passed in provider for the signing. * @deprecated use generate() */ public X509CRL generateX509CRL(PrivateKey key, String provider, SecureRandom random) throws NoSuchProviderException, SecurityException, SignatureException, InvalidKeyException { try { return generate(key, provider, random); } catch (NoSuchProviderException e) { throw e; } catch (SignatureException e) { throw e; } catch (InvalidKeyException e) { throw e; } catch (GeneralSecurityException e) { throw new SecurityException("exception: " + e); } } /** * generate an X509 CRL, based on the current issuer and subject * using the default provider. * <p> * <b>Note:</b> this differs from the deprecated method in that the default provider is * used - not "BC". * </p> */ public X509CRL generate(PrivateKey key) throws CRLException, IllegalStateException, NoSuchAlgorithmException, SignatureException, InvalidKeyException { return generate(key, (SecureRandom) null); } /** * generate an X509 CRL, based on the current issuer and subject * using the default provider and an user defined SecureRandom object as * source of randomness. * <p> * <b>Note:</b> this differs from the deprecated method in that the default provider is * used - not "BC". * </p> */ public X509CRL generate(PrivateKey key, SecureRandom random) throws CRLException, IllegalStateException, NoSuchAlgorithmException, SignatureException, InvalidKeyException { TBSCertList tbsCrl = generateCertList(); byte[] signature; try { signature = X509Util.calculateSignature(sigOID, signatureAlgorithm, key, random, tbsCrl); } catch (IOException e) { throw new ExtCRLException("cannot generate CRL encoding", e); } return generateJcaObject(tbsCrl, signature); } /** * generate an X509 certificate, based on the current issuer and subject * using the passed in provider for the signing. */ public X509CRL generate(PrivateKey key, String provider) throws CRLException, IllegalStateException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, InvalidKeyException { return generate(key, provider, null); } /** * generate an X509 CRL, based on the current issuer and subject, * using the passed in provider for the signing. */ public X509CRL generate(PrivateKey key, String provider, SecureRandom random) throws CRLException, IllegalStateException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, InvalidKeyException { TBSCertList tbsCrl = generateCertList(); byte[] signature; try { signature = X509Util.calculateSignature(sigOID, signatureAlgorithm, provider, key, random, tbsCrl); } catch (IOException e) { throw new ExtCRLException("cannot generate CRL encoding", e); } return generateJcaObject(tbsCrl, signature); } private TBSCertList generateCertList() { if (!extGenerator.isEmpty()) { tbsGen.setExtensions(extGenerator.generate()); } return tbsGen.generateTBSCertList(); } private X509CRL generateJcaObject(TBSCertList tbsCrl, byte[] signature) throws CRLException { ASN1EncodableVector v = new ASN1EncodableVector(); v.add(tbsCrl); v.add(sigAlgId); v.add(new DERBitString(signature)); return new X509CRLObject(new CertificateList(new DERSequence(v))); } /** * Return an iterator of the signature names supported by the generator. * * @return an iterator containing recognised names. */ public Iterator getSignatureAlgNames() { return X509Util.getAlgNames(); } private static class ExtCRLException extends CRLException { Throwable cause; ExtCRLException(String message, Throwable cause) { super(message); this.cause = cause; } public Throwable getCause() { return cause; } } }