/** * Verifies that this CRL was signed using the * private key that corresponds to the given public key, * and that the signature verification was computed by * the given provider. Note that the specified Provider object * does not have to be registered in the provider list. * * @param key the PublicKey used to carry out the verification. * @param sigProvider the signature provider. * * @exception NoSuchAlgorithmException on unsupported signature * algorithms. * @exception InvalidKeyException on incorrect key. * @exception SignatureException on signature errors. * @exception CRLException on encoding errors. */ public synchronized void verify(PublicKey key, Provider sigProvider) throws CRLException, NoSuchAlgorithmException, InvalidKeyException, SignatureException { if (signedCRL == null) { throw new CRLException("Uninitialized CRL"); } Signature sigVerf = null; if (sigProvider == null) { sigVerf = Signature.getInstance(sigAlgId.getName()); } else { sigVerf = Signature.getInstance(sigAlgId.getName(), sigProvider); } sigVerf.initVerify(key); if (tbsCertList == null) { throw new CRLException("Uninitialized CRL"); } sigVerf.update(tbsCertList, 0, tbsCertList.length); if (!sigVerf.verify(signature)) { throw new SignatureException("Signature does not match."); } verifiedPublicKey = key; }
private void parseExtension(Extension ext) throws CRLException { try { Class<?> extClass = OIDMap.getClass(ext.getExtensionId()); if (extClass == null) { // Unsupported extension if (ext.isCritical()) unsupportedCritExt = true; if (map.put(ext.getExtensionId().toString(), ext) != null) throw new CRLException("Duplicate extensions not allowed"); return; } Constructor<?> cons = extClass.getConstructor(PARAMS); Object[] passed = new Object[] {Boolean.valueOf(ext.isCritical()), ext.getExtensionValue()}; CertAttrSet<?> crlExt = (CertAttrSet<?>)cons.newInstance(passed); if (map.put(crlExt.getName(), (Extension)crlExt) != null) { throw new CRLException("Duplicate extensions not allowed"); } } catch (InvocationTargetException invk) { throw new CRLException(invk.getTargetException().getMessage()); } catch (Exception e) { throw new CRLException(e.toString()); } }
/** * Downloads a CRL from given LDAP url. * * @param r the resource that is the ldap url. * @return the x 509 cRL * @throws IOException the exception thrown if resources cant be fetched * @throws CRLException the exception thrown if resources cant be fetched * @throws CertificateException if connection to ldap fails, or attribute to get the revocation list is unavailable */ protected X509CRL fetchCRLFromLdap(final Object r) throws CertificateException, IOException, CRLException { try { final String ldapURL = r.toString(); LOGGER.debug("Fetching CRL from ldap [{}]", ldapURL); final Response<SearchResult> result = performLdapSearch(ldapURL); if (result.getResultCode() == ResultCode.SUCCESS) { final LdapEntry entry = result.getResult().getEntry(); final LdapAttribute attribute = entry.getAttribute(this.certificateAttribute); if (attribute.isBinary()) { LOGGER.debug("Located entry [{}]. Retrieving first attribute [{}]", entry, attribute); return fetchX509CRLFromAttribute(attribute); } LOGGER.warn("Found certificate attribute [{}] but it is not marked as a binary attribute", this.certificateAttribute); } LOGGER.debug("Failed to execute the search [{}]", result); throw new CertificateException("Failed to establish a connection ldap and search."); } catch (final LdapException e) { LOGGER.error(e.getMessage(), e); throw new CertificateException(e.getMessage()); } }
/** * Return the initialization parameters for the TrustManager. Currently, * only the default <code>PKIX</code> is supported. * * @param algorithm * The algorithm to get parameters for. * @param crlf * The path to the CRL file. * @param trustStore * The configured TrustStore. * @return The parameters including the CRLs and TrustStore. */ protected CertPathParameters getParameters(String algorithm, String crlf, KeyStore trustStore) throws Exception { CertPathParameters params = null; if ("PKIX".equalsIgnoreCase(algorithm)) { PKIXBuilderParameters xparams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); Collection<? extends CRL> crls = getCRLs(crlf); CertStoreParameters csp = new CollectionCertStoreParameters(crls); CertStore store = CertStore.getInstance("Collection", csp); xparams.addCertStore(store); xparams.setRevocationEnabled(true); String trustLength = endpoint.getTrustMaxCertLength(); if (trustLength != null) { try { xparams.setMaxPathLength(Integer.parseInt(trustLength)); } catch (Exception ex) { log.warn("Bad maxCertLength: " + trustLength); } } params = xparams; } else { throw new CRLException("CRLs not supported for type: " + algorithm); } return params; }
/** * Add the CRLEntry objects contained in a previous CRL. * * @param other the X509CRL to source the other entries from. */ public void addCRL(X509CRL other) throws CRLException { Set revocations = other.getRevokedCertificates(); if (revocations != null) { Iterator it = revocations.iterator(); while (it.hasNext()) { X509CRLEntry entry = (X509CRLEntry)it.next(); ASN1InputStream aIn = new ASN1InputStream(entry.getEncoded()); try { tbsGen.addCRLEntry(ASN1Sequence.getInstance(aIn.readObject())); } catch (IOException e) { throw new CRLException("exception processing encoding of CRL: " + e.toString()); } } } }
/** * generate an X509 CRL, based on the current issuer and subject, * using the passed in provider for the signing. */ public X509CRL generate( PrivateKey key, String provider, SecureRandom random) throws CRLException, IllegalStateException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, InvalidKeyException { TBSCertList tbsCrl = generateCertList(); byte[] signature; try { signature = X509Util.calculateSignature(sigOID, signatureAlgorithm, provider, key, random, tbsCrl); } catch (IOException e) { throw new ExtCRLException("cannot generate CRL encoding", e); } return generateJcaObject(tbsCrl, signature); }
@Override public int compareTo(X509CRLEntryImpl that) { int compSerial = getSerialNumber().compareTo(that.getSerialNumber()); if (compSerial != 0) { return compSerial; } try { byte[] thisEncoded = this.getEncoded0(); byte[] thatEncoded = that.getEncoded0(); for (int i=0; i<thisEncoded.length && i<thatEncoded.length; i++) { int a = thisEncoded[i] & 0xff; int b = thatEncoded[i] & 0xff; if (a != b) return a-b; } return thisEncoded.length -thatEncoded.length; } catch (CRLException ce) { return -1; } }
private CollectionCertStoreParameters convertHolders(JcaX509CertificateConverter certificateConverter, JcaX509CRLConverter crlConverter) throws CertificateException, CRLException { List jcaObjs = new ArrayList(certs.size() + crls.size()); for (Iterator it = certs.iterator(); it.hasNext();) { jcaObjs.add(certificateConverter.getCertificate((X509CertificateHolder)it.next())); } for (Iterator it = crls.iterator(); it.hasNext();) { jcaObjs.add(crlConverter.getCRL((X509CRLHolder)it.next())); } return new CollectionCertStoreParameters(jcaObjs); }
public X509CRLObject( CertificateList c) throws CRLException { this.c = c; try { this.sigAlgName = X509SignatureUtil.getSignatureName(c.getSignatureAlgorithm()); if (c.getSignatureAlgorithm().getParameters() != null) { this.sigAlgParams = ((ASN1Encodable)c.getSignatureAlgorithm().getParameters()).toASN1Primitive().getEncoded(ASN1Encoding.DER); } else { this.sigAlgParams = null; } this.isIndirect = isIndirectCRL(this); } catch (Exception e) { throw new CRLException("CRL contents invalid: " + e); } }
public void verify(PublicKey key, String sigProvider) throws CRLException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException { if (!c.getSignatureAlgorithm().equals(c.getTBSCertList().getSignature())) { throw new CRLException("Signature algorithm on CertificateList does not match TBSCertList."); } Signature sig; if (sigProvider != null) { sig = Signature.getInstance(getSigAlgName(), sigProvider); } else { sig = Signature.getInstance(getSigAlgName()); } sig.initVerify(key); sig.update(this.getTBSCertList()); if (!sig.verify(this.getSignature())) { throw new SignatureException("CRL does not verify with supplied public key."); } }
private CRL readDERCRL( InputStream in) throws IOException, CRLException { ASN1InputStream dIn = new ASN1InputStream(in); ASN1Sequence seq = (ASN1Sequence)dIn.readObject(); if (seq.size() > 1 && seq.getObjectAt(0) instanceof DERObjectIdentifier) { if (seq.getObjectAt(0).equals(PKCSObjectIdentifiers.signedData)) { sData = new SignedData(ASN1Sequence.getInstance( (ASN1TaggedObject)seq.getObjectAt(1), true)).getCRLs(); return getCRL(); } } return new X509CRLObject(CertificateList.getInstance(seq)); }
private CRL readDERCRL( ASN1InputStream aIn) throws IOException, CRLException { ASN1Sequence seq = (ASN1Sequence)aIn.readObject(); if (seq.size() > 1 && seq.getObjectAt(0) instanceof ASN1ObjectIdentifier) { if (seq.getObjectAt(0).equals(PKCSObjectIdentifiers.signedData)) { sCrlData = SignedData.getInstance(ASN1Sequence.getInstance( (ASN1TaggedObject)seq.getObjectAt(1), true)).getCRLs(); return getCRL(); } } return createCRL( CertificateList.getInstance(seq)); }
/** * Verifies that this CRL was signed using the * private key that corresponds to the given public key, * and that the signature verification was computed by * the given provider. * * @param key the PublicKey used to carry out the verification. * @param sigProvider the name of the signature provider. * * @exception NoSuchAlgorithmException on unsupported signature * algorithms. * @exception InvalidKeyException on incorrect key. * @exception NoSuchProviderException on incorrect provider. * @exception SignatureException on signature errors. * @exception CRLException on encoding errors. */ public synchronized void verify(PublicKey key, String sigProvider) throws CRLException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException { if (sigProvider == null) { sigProvider = ""; } if ((verifiedPublicKey != null) && verifiedPublicKey.equals(key)) { // this CRL has already been successfully verified using // this public key. Make sure providers match, too. if (sigProvider.equals(verifiedProvider)) { return; } } if (signedCRL == null) { throw new CRLException("Uninitialized CRL"); } Signature sigVerf = null; if (sigProvider.length() == 0) { sigVerf = Signature.getInstance(sigAlgId.getName()); } else { sigVerf = Signature.getInstance(sigAlgId.getName(), sigProvider); } sigVerf.initVerify(key); if (tbsCertList == null) { throw new CRLException("Uninitialized CRL"); } sigVerf.update(tbsCertList, 0, tbsCertList.length); if (!sigVerf.verify(signature)) { throw new SignatureException("Signature does not match."); } verifiedPublicKey = key; verifiedProvider = sigProvider; }
/** * return the issuer of the given CRL as an X509PrincipalObject. */ public static X509Principal getIssuerX509Principal( X509CRL crl) throws CRLException { try { ByteArrayInputStream bIn = new ByteArrayInputStream( crl.getTBSCertList()); ASN1InputStream aIn = new ASN1InputStream(bIn); TBSCertList tbsCertList = new TBSCertList( (ASN1Sequence)aIn.readObject()); return new X509Principal(tbsCertList.getIssuer()); } catch (IOException e) { throw new CRLException(e.toString()); } }
/** * Decodes CRLS in DER or PKCS#7 format. If in PKCS#7 format only the CRLs are decode, the rest of the content is * ignored. * * @param crls encoded CRLs * * @return decoded CRLs * * @throws CRLException thrown if the CRLs can not be decoded * * @since 1.2 */ public static Collection<X509CRL> decodeCRLs(File crls) throws CRLException{ if(!crls.exists()){ throw new CRLException("CRL file " + crls.getAbsolutePath() + " does not exist"); } if(!crls.canRead()){ throw new CRLException("CRL file " + crls.getAbsolutePath() + " is not readable"); } try{ return decodeCRLs(DatatypeHelper.fileToByteArray(crls)); }catch(IOException e){ throw new CRLException("Error reading CRL file " + crls.getAbsolutePath(), e); } }
/** * Get a list of the Java {@link java.security.cert.X509CRL}s within the given {@link KeyInfo}. * * @param keyInfo the {@link KeyInfo} to extract the CRL's from * * @return a list of Java {@link java.security.cert.X509CRL}s * * @throws CRLException thrown if there is a problem converting the * CRL data into {@link java.security.cert.X509CRL}s */ public static List<X509CRL> getCRLs(KeyInfo keyInfo) throws CRLException { List<X509CRL> crlList = new LinkedList<X509CRL>(); if (keyInfo == null) { return crlList; } List<X509Data> x509Datas = keyInfo.getX509Datas(); for (X509Data x509Data : x509Datas) { if (x509Data != null) { crlList.addAll(getCRLs(x509Data)); } } return crlList; }
/** * Get a list of the Java {@link java.security.cert.X509CRL}s within the given {@link X509Data}. * * @param x509Data {@link X509Data} to extract the CRLs from * * @return a list of Java {@link java.security.cert.X509CRL}s * * @throws CRLException thrown if there is a problem converting the * CRL data into {@link java.security.cert.X509CRL}s */ public static List<X509CRL> getCRLs(X509Data x509Data) throws CRLException { List<X509CRL> crlList = new LinkedList<X509CRL>(); if (x509Data == null) { return crlList; } for (org.opensaml.xml.signature.X509CRL xmlCRL : x509Data.getX509CRLs()) { if (xmlCRL != null && xmlCRL.getValue() != null) { X509CRL newCRL = getCRL(xmlCRL); crlList.add(newCRL); } } return crlList; }
/** * Return the initialization parameters for the TrustManager. * Currently, only the default <code>PKIX</code> is supported. * * @param algorithm The algorithm to get parameters for. * @param crlf The path to the CRL file. * @param trustStore The configured TrustStore. * @return The parameters including the CRLs and TrustStore. */ protected CertPathParameters getParameters(String algorithm, String crlf, KeyStore trustStore) throws Exception { CertPathParameters params = null; if("PKIX".equalsIgnoreCase(algorithm)) { PKIXBuilderParameters xparams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); Collection crls = getCRLs(crlf); CertStoreParameters csp = new CollectionCertStoreParameters(crls); CertStore store = CertStore.getInstance("Collection", csp); xparams.addCertStore(store); xparams.setRevocationEnabled(true); xparams.setMaxPathLength(listener.getSslTrustMaxCertLength()); params = xparams; } else { throw new CRLException("CRLs not supported for type: "+algorithm); } return params; }
/** * Get a DER-encoded X.509 CRL from a file. * * @param crlFilePath path to file containing DER-encoded CRL * @return the X509CRL * @throws CertificateException if the crl type is not supported * @throws CRLException if the crl cannot be parsed * @throws IOException if the file cannot be opened */ public static X509CRL getCRLFromFile(String crlFilePath) throws CertificateException, CRLException, IOException { File crlFile = new File(System.getProperty("test.src", "."), crlFilePath); try (FileInputStream fis = new FileInputStream(crlFile)) { return (X509CRL) CertificateFactory.getInstance("X.509").generateCRL(fis); } }
/** * @see java.security.cert.X509CRL#verify(java.security.PublicKey, java.lang.String) */ @Override public void verify(final PublicKey key, final String sigProvider) throws CRLException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException { // Do nothing to indicate valid signature }
/** * Unmarshals an X.509 CRL from an DER value. * * @param val a DER value holding at least one CRL * @exception CRLException on parsing errors. */ public X509CRLImpl(DerValue val) throws CRLException { try { parse(val); } catch (IOException e) { signedCRL = null; throw new CRLException("Parsing error: " + e.getMessage()); } }
/** * Check the signature algorithm with the specified public key. * * @param key the public key to verify the CRL signature * @param crl the target CRL * @param variant is the Validator variants of the operation. A null value * passed will set it to Validator.GENERIC. */ static void check(PublicKey key, X509CRL crl, String variant) throws CertPathValidatorException { X509CRLImpl x509CRLImpl = null; try { x509CRLImpl = X509CRLImpl.toImpl(crl); } catch (CRLException ce) { throw new CertPathValidatorException(ce); } AlgorithmId algorithmId = x509CRLImpl.getSigAlgId(); check(key, algorithmId, variant); }
/** * Return the initialization parameters for the TrustManager. * Currently, only the default <code>PKIX</code> is supported. * * @param algorithm The algorithm to get parameters for. * @param crlf The path to the CRL file. * @param trustStore The configured TrustStore. * @return The parameters including the CRLs and TrustStore. */ protected CertPathParameters getParameters(String algorithm, String crlf, KeyStore trustStore) throws Exception { CertPathParameters params = null; if("PKIX".equalsIgnoreCase(algorithm)) { PKIXBuilderParameters xparams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); Collection<? extends CRL> crls = getCRLs(crlf); CertStoreParameters csp = new CollectionCertStoreParameters(crls); CertStore store = CertStore.getInstance("Collection", csp); xparams.addCertStore(store); xparams.setRevocationEnabled(true); String trustLength = endpoint.getTrustMaxCertLength(); if(trustLength != null) { try { xparams.setMaxPathLength(Integer.parseInt(trustLength)); } catch(Exception ex) { log.warn("Bad maxCertLength: "+trustLength); } } params = xparams; } else { throw new CRLException("CRLs not supported for type: "+algorithm); } return params; }
@Override public X509CRL fetch(final Resource crl) throws IOException, CRLException, CertificateException { if (LdapUtils.isLdapConnectionUrl(crl.toString())) { return fetchCRLFromLdap(crl); } return super.fetch(crl); }
@Override public X509CRL fetch(final URI crl) throws IOException, CRLException, CertificateException { if (LdapUtils.isLdapConnectionUrl(crl)) { return fetchCRLFromLdap(crl); } return super.fetch(crl); }
@Override public X509CRL fetch(final URL crl) throws IOException, CRLException, CertificateException { if (LdapUtils.isLdapConnectionUrl(crl)) { return fetchCRLFromLdap(crl); } return super.fetch(crl); }
@Override public Collection<X509CRL> fetch(final Collection<Resource> crls) throws IOException, CRLException, CertificateException { final Set<X509CRL> results = new HashSet<>(); for (final Resource r : crls) { LOGGER.debug("Fetching CRL data from [{}]", r); try(InputStream ins = r.getInputStream()) { final X509CRL crl = (X509CRL) CertUtils.getCertificateFactory().generateCRL(ins); if (crl != null) { results.add(crl); } } } return results; }
/** * Encodes the revoked certificate to an output stream. * * @param outStrm an output stream to which the encoded revoked * certificate is written. * @exception CRLException on encoding errors. */ public void encode(DerOutputStream outStrm) throws CRLException { try { if (revokedCert == null) { DerOutputStream tmp = new DerOutputStream(); // sequence { serialNumber, revocationDate, extensions } serialNumber.encode(tmp); if (revocationDate.getTime() < YR_2050) { tmp.putUTCTime(revocationDate); } else { tmp.putGeneralizedTime(revocationDate); } if (extensions != null) extensions.encode(tmp, isExplicit); DerOutputStream seq = new DerOutputStream(); seq.write(DerValue.tag_Sequence, tmp); revokedCert = seq.toByteArray(); } outStrm.write(revokedCert); } catch (IOException e) { throw new CRLException("Encoding error: " + e.toString()); } }
/** * @see java.security.cert.X509CRL#verify(java.security.PublicKey) */ @Override public void verify(final PublicKey key) throws CRLException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException { // Do nothing to indicate valid signature }
/** * Unmarshals an X.509 CRL from an input stream. Only one CRL * is expected at the end of the input stream. * * @param inStrm an input stream holding at least one CRL * @exception CRLException on parsing errors. */ public X509CRLImpl(InputStream inStrm) throws CRLException { try { parse(new DerValue(inStrm)); } catch (IOException e) { signedCRL = null; throw new CRLException("Parsing error: " + e.getMessage()); } }
/** * generate an X509 certificate, based on the current issuer and subject * using the passed in provider for the signing. */ public X509CRL generate( PrivateKey key, String provider) throws CRLException, IllegalStateException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, InvalidKeyException { return generate(key, provider, null); }
/** * Check the signature algorithm with the specified public key. * * @param key the public key to verify the CRL signature * @param crl the target CRL */ static void check(PublicKey key, X509CRL crl) throws CertPathValidatorException { X509CRLImpl x509CRLImpl = null; try { x509CRLImpl = X509CRLImpl.toImpl(crl); } catch (CRLException ce) { throw new CertPathValidatorException(ce); } AlgorithmId algorithmId = x509CRLImpl.getSigAlgId(); check(key, algorithmId); }
public byte[] getEncoded() throws CRLException { try { return c.getEncoded(ASN1Encoding.DER); } catch (IOException e) { throw new CRLException(e.toString()); } }
public byte[] getTBSCertList() throws CRLException { try { return c.getTBSCertList().getEncoded("DER"); } catch (IOException e) { throw new CRLException(e.toString()); } }
/** * Unmarshals a revoked certificate from its encoded form. * * @param revokedCert the encoded bytes. * @exception CRLException on parsing errors. */ public X509CRLEntryImpl(byte[] revokedCert) throws CRLException { try { parse(new DerValue(revokedCert)); } catch (IOException e) { this.revokedCert = null; throw new CRLException("Parsing error: " + e.toString()); } }
private CRL readPEMCRL( InputStream in) throws IOException, CRLException { ASN1Sequence seq = PEM_PARSER.readPEMObject(in); if (seq != null) { return new X509CRLObject(CertificateList.getInstance(seq)); } return null; }
private CRL readPEMCRL( InputStream in) throws IOException, CRLException { ASN1Sequence seq = PEM_CRL_PARSER.readPEMObject(in); if (seq != null) { return createCRL( CertificateList.getInstance(seq)); } return null; }
private CRL getCRL() throws CRLException { if (sCrlData == null || sCrlDataObjectCount >= sCrlData.size()) { return null; } return createCRL( CertificateList.getInstance( sCrlData.getObjectAt(sCrlDataObjectCount++))); }