private void checkCRL(X509Certificate[] chain) throws CertificateException { String crl = option.getCrl(); crl = custom.getFullPath(crl); File file = new File(crl); if (!file.exists()) { return; } CRL[] crls = KeyStoreUtil.createCRL(crl); X509Certificate owner = CertificateUtil.findOwner(chain); for (CRL c : crls) { if (c.isRevoked(owner)) { LOG.error("certificate revoked"); throw new CertificateException("certificate revoked"); } } }
private CRL readDERCRL( InputStream in) throws IOException, CRLException { ASN1InputStream dIn = new ASN1InputStream(in); ASN1Sequence seq = (ASN1Sequence)dIn.readObject(); if (seq.size() > 1 && seq.getObjectAt(0) instanceof DERObjectIdentifier) { if (seq.getObjectAt(0).equals(PKCSObjectIdentifiers.signedData)) { sData = new SignedData(ASN1Sequence.getInstance( (ASN1TaggedObject)seq.getObjectAt(1), true)).getCRLs(); return getCRL(); } } return new X509CRLObject(CertificateList.getInstance(seq)); }
private CRL readDERCRL( ASN1InputStream aIn) throws IOException, CRLException { ASN1Sequence seq = (ASN1Sequence)aIn.readObject(); if (seq.size() > 1 && seq.getObjectAt(0) instanceof ASN1ObjectIdentifier) { if (seq.getObjectAt(0).equals(PKCSObjectIdentifiers.signedData)) { sCrlData = SignedData.getInstance(ASN1Sequence.getInstance( (ASN1TaggedObject)seq.getObjectAt(1), true)).getCRLs(); return getCRL(); } } return createCRL( CertificateList.getInstance(seq)); }
/** * Determine whether there are any CRL's in the {@link CertStore} that is to be used. * * @param certStore the cert store that will be used for validation * @return true if the store contains at least 1 CRL instance, false otherwise */ protected boolean storeContainsCRLs(CertStore certStore) { Collection<? extends CRL> crls = null; try { //Save some cycles and memory: Collection cert store allows null as specifier to return all. //crls = certStore.getCRLs( new X509CRLSelector() ); crls = certStore.getCRLs(null); } catch (CertStoreException e) { log.error("Error examining cert store for CRL's, treating as if no CRL's present", e); return false; } if (crls != null && !crls.isEmpty()) { return true; } return false; }
private static String verifyCRL(KeyStore ks, CRL crl) throws Exception { X509CRLImpl xcrl = (X509CRLImpl)crl; X500Principal issuer = xcrl.getIssuerX500Principal(); for (String s: e2i(ks.aliases())) { Certificate cert = ks.getCertificate(s); if (cert instanceof X509Certificate) { X509Certificate xcert = (X509Certificate)cert; if (xcert.getSubjectX500Principal().equals(issuer)) { try { ((X509CRLImpl)crl).verify(cert.getPublicKey()); return s; } catch (Exception e) { } } } } return null; }
private void printCRL(CRL crl, PrintStream out) throws Exception { X509CRL xcrl = (X509CRL)crl; if (rfc) { out.println("-----BEGIN X509 CRL-----"); out.println(Base64.getMimeEncoder(64, CRLF).encodeToString(xcrl.getEncoded())); out.println("-----END X509 CRL-----"); } else { String s; if (crl instanceof X509CRLImpl) { X509CRLImpl x509crl = (X509CRLImpl) crl; s = x509crl.toStringWithAlgName(withWeak("" + x509crl.getSigAlgId())); } else { s = crl.toString(); } out.println(s); } }
/** * Return the initialization parameters for the TrustManager. Currently, * only the default <code>PKIX</code> is supported. * * @param algorithm * The algorithm to get parameters for. * @param crlf * The path to the CRL file. * @param trustStore * The configured TrustStore. * @return The parameters including the CRLs and TrustStore. */ protected CertPathParameters getParameters(String algorithm, String crlf, KeyStore trustStore) throws Exception { CertPathParameters params = null; if ("PKIX".equalsIgnoreCase(algorithm)) { PKIXBuilderParameters xparams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); Collection<? extends CRL> crls = getCRLs(crlf); CertStoreParameters csp = new CollectionCertStoreParameters(crls); CertStore store = CertStore.getInstance("Collection", csp); xparams.addCertStore(store); xparams.setRevocationEnabled(true); String trustLength = endpoint.getTrustMaxCertLength(); if (trustLength != null) { try { xparams.setMaxPathLength(Integer.parseInt(trustLength)); } catch (Exception ex) { log.warn("Bad maxCertLength: " + trustLength); } } params = xparams; } else { throw new CRLException("CRLs not supported for type: " + algorithm); } return params; }
/** * Load the collection of CRLs. * */ protected Collection<? extends CRL> getCRLs(String crlf) throws IOException, CRLException, CertificateException { Collection<? extends CRL> crls = null; InputStream is = null; try { CertificateFactory cf = CertificateFactory.getInstance("X.509"); is = ConfigFileLoader.getInputStream(crlf); crls = cf.generateCRLs(is); } catch (IOException iex) { throw iex; } catch (CRLException crle) { throw crle; } catch (CertificateException ce) { throw ce; } finally { if (is != null) { try { is.close(); } catch (Exception ex) { // Ignore } } } return crls; }
/** * Sets the crypto information to sign. * @param privKey the private key * @param certChain the certificate chain * @param crlList the certificate revocation list. It can be <CODE>null</CODE> */ public void setSignInfo(PrivateKey privKey, Certificate[] certChain, CRL[] crlList) { try { pkcs = new PdfPKCS7(privKey, certChain, crlList, hashAlgorithm, provider, PdfName.ADBE_PKCS7_SHA1.equals(get(PdfName.SUBFILTER))); pkcs.setExternalDigest(externalDigest, externalRSAdata, digestEncryptionAlgorithm); if (PdfName.ADBE_X509_RSA_SHA1.equals(get(PdfName.SUBFILTER))) { ByteArrayOutputStream bout = new ByteArrayOutputStream(); for (int k = 0; k < certChain.length; ++k) { bout.write(certChain[k].getEncoded()); } bout.close(); setCert(bout.toByteArray()); setContents(pkcs.getEncodedPKCS1()); } else setContents(pkcs.getEncodedPKCS7()); name = PdfPKCS7.getSubjectFields(pkcs.getSigningCertificate()).getField("CN"); if (name != null) put(PdfName.NAME, new PdfString(name, PdfObject.TEXT_UNICODE)); pkcs = new PdfPKCS7(privKey, certChain, crlList, hashAlgorithm, provider, PdfName.ADBE_PKCS7_SHA1.equals(get(PdfName.SUBFILTER))); pkcs.setExternalDigest(externalDigest, externalRSAdata, digestEncryptionAlgorithm); } catch (Exception e) { throw new ExceptionConverter(e); } }
/** * Verifies a single certificate. * @param cert the certificate to verify * @param crls the certificate revocation list or <CODE>null</CODE> * @param calendar the date or <CODE>null</CODE> for the current date * @return a <CODE>String</CODE> with the error description or <CODE>null</CODE> * if no error */ public static String verifyCertificate(X509Certificate cert, Collection crls, Calendar calendar) { if (calendar == null) calendar = new GregorianCalendar(); if (cert.hasUnsupportedCriticalExtension()) return "Has unsupported critical extension"; try { cert.checkValidity(calendar.getTime()); } catch (Exception e) { return e.getMessage(); } if (crls != null) { for (Iterator it = crls.iterator(); it.hasNext();) { if (((CRL)it.next()).isRevoked(cert)) return "Certificate revoked"; } } return null; }
/** * Loads certificate revocation list (CRL) from a file. * * Required for integrations to be able to override the mechanism used to * load CRL in order to provide their own implementation. * * @param crlPath path of certificate revocation list file * @return Collection of CRL's * @throws Exception */ protected Collection<? extends CRL> loadCRL(String crlPath) throws Exception { Collection<? extends CRL> crlList = null; if (crlPath != null) { InputStream in = null; try { in = new FileInputStream(crlPath); //assume it's a file crlList = CertificateFactory.getInstance("X.509").generateCRLs(in); } finally { if (in != null) { in.close(); } } } return crlList; }
public static Collection<? extends CRL> loadCRL(String crlPath) throws Exception { Collection<? extends CRL> crlList = null; if (crlPath != null) { InputStream in = null; try { in = Resource.newResource(crlPath).getInputStream(); crlList = CertificateFactory.getInstance("X.509").generateCRLs(in); } finally { if (in != null) { in.close(); } } } return crlList; }
private CRL readDERCRL( InputStream in) throws IOException, CRLException { ASN1InputStream dIn = new ASN1InputStream(in); ASN1Sequence seq = (ASN1Sequence)dIn.readObject(); if (seq.size() > 1 && seq.getObjectAt(0) instanceof ASN1ObjectIdentifier) { if (seq.getObjectAt(0).equals(PKCSObjectIdentifiers.signedData)) { sData = new SignedData(ASN1Sequence.getInstance( (ASN1TaggedObject)seq.getObjectAt(1), true)).getCRLs(); return getCRL(); } } return new X509CRLObject(CertificateList.getInstance(seq)); }
public boolean match(CRL crl) { if (!(crl instanceof X509CRL)) return false; try { Principal p = ((X509CRL) crl).getIssuerDN(); X500DistinguishedName thisName = null; if (p instanceof X500DistinguishedName) thisName = (X500DistinguishedName) p; else if (p instanceof X500Principal) thisName = new X500DistinguishedName(((X500Principal) p).getEncoded()); else thisName = new X500DistinguishedName(p.getName()); for (Iterator it = issuerNames.iterator(); it.hasNext(); ) { X500DistinguishedName name = (X500DistinguishedName) it.next(); if (thisName.equals(name)) return true; } } catch (Exception x) { } return false; }
/** * @tests java.security.cert.CertificateFactory#generateCRLs(java.io.InputStream) */ @TestTargetNew( level = TestLevel.PARTIAL_COMPLETE, notes = "Verifies IOException.", method = "generateCRLs", args = {java.io.InputStream.class} ) public void test_generateCRLsLjava_io_InputStream() throws Exception { CertificateFactory fact = CertificateFactory.getInstance("X.509"); for (int i = 0; i < CRLCOLLECTION_URLS.length; i++) { URL certUrl = new URL(BASE_URL + CRLCOLLECTION_URLS[i]); try { InputStream is = certUrl.openStream(); Collection<? extends CRL> crls = fact.generateCRLs(is); assertTrue("The CRLs in \"" + certUrl.toExternalForm() + "\" were not parsed correctly", crls != null && crls.size() > 0); } catch (IOException e) { // the certificate could not be found, skip it } } }
/** * setMinCRLNumber(BigInteger minCRL) method testing. Tests if CRLs with any * crl number value match the selector in the case of null crlNumber * criteria, if specified minCRL value matches the selector, and if CRL with * inappropriate crlNumber value does not match the selector. */ @TestTargetNew( level = TestLevel.COMPLETE, notes = "", method = "setMinCRLNumber", args = {java.math.BigInteger.class} ) @AndroidOnly("Uses specific class: " + "org.apache.harmony.security.asn1.ASN1OctetString.") public void testSetMinCRLNumberLjava_math_BigInteger() { X509CRLSelector selector = new X509CRLSelector(); BigInteger minCRL = new BigInteger("10000"); CRL crl = new TestCRL(minCRL); selector.setMinCRLNumber(null); assertTrue("Any CRL should match in the case of null minCRLNumber.", selector.match(crl)); selector.setMinCRLNumber(minCRL); assertTrue("The CRL should match the selection criteria.", selector .match(crl)); selector.setMinCRLNumber(new BigInteger("10001")); assertFalse("The CRL should not match the selection criteria.", selector.match(crl)); }
/** * Returns CRLs described in a X509Certificate's CRLDistributionPoints * Extension. Only those containing a general name of type URI are read. */ public static List<CRL> readCRLsFromCert(X509Certificate cert) throws Exception { List<CRL> crls = new ArrayList<>(); CRLDistributionPointsExtension ext = X509CertImpl.toImpl(cert).getCRLDistributionPointsExtension(); if (ext == null) return crls; for (DistributionPoint o: (List<DistributionPoint>) ext.get(CRLDistributionPointsExtension.POINTS)) { GeneralNames names = o.getFullName(); if (names != null) { for (GeneralName name: names.names()) { if (name.getType() == GeneralNameInterface.NAME_URI) { URIName uriName = (URIName)name.getName(); for (CRL crl: KeyTool.loadCRLs(uriName.getName())) { if (crl instanceof X509CRL) { crls.add((X509CRL)crl); } } break; // Different name should point to same CRL } } } } return crls; }
private void doPrintCRL(String src, PrintStream out) throws Exception { for (CRL crl: loadCRLs(src)) { printCRL(crl, out); String issuer = null; if (caks != null) { issuer = verifyCRL(caks, crl); if (issuer != null) { System.out.println("Verified by " + issuer + " in cacerts"); } } if (issuer == null && keyStore != null) { issuer = verifyCRL(keyStore, crl); if (issuer != null) { System.out.println("Verified by " + issuer + " in keystore"); } } if (issuer == null) { out.println(rb.getString ("STAR")); out.println("WARNING: not verified. Make sure -keystore and -alias are correct."); out.println(rb.getString ("STARNN")); } } }
public static Collection<? extends CRL> getCRLs(final PKIXCRLStoreSelector selector, CertStore certStore) throws CertStoreException { return certStore.getCRLs(new CRLSelector() { public boolean match(CRL crl) { return selector.match(crl); } public Object clone() { return this; } }); }
