/** * This static method is the default implementation of the * getRevocationReason method in X509CRLEntry. */ public static CRLReason getRevocationReason(X509CRLEntry crlEntry) { try { byte[] ext = crlEntry.getExtensionValue("2.5.29.21"); if (ext == null) { return null; } DerValue val = new DerValue(ext); byte[] data = val.getOctetString(); CRLReasonCodeExtension rcExt = new CRLReasonCodeExtension(Boolean.FALSE, data); return rcExt.getReasonCode(); } catch (IOException ioe) { return null; } }
/** * Create a CertStatusInfo providing type, revocation date * (if applicable) and revocation reason. * * @param statType the status for this entry. * @param revDate if applicable, the date that revocation took place. * A value of {@code null} indicates that current time should be used. * If the value of {@code statType} is not {@code CERT_STATUS_REVOKED}, * then the {@code revDate} parameter is ignored. * @param revReason the reason the certificate was revoked. A value of * {@code null} means that no reason was provided. */ public CertStatusInfo(CertStatus statType, Date revDate, CRLReason revReason) { Objects.requireNonNull(statType, "Cert Status must be non-null"); certStatusType = statType; switch (statType) { case CERT_STATUS_GOOD: case CERT_STATUS_UNKNOWN: revocationTime = null; break; case CERT_STATUS_REVOKED: revocationTime = revDate != null ? (Date)revDate.clone() : new Date(); break; default: throw new IllegalArgumentException("Unknown status type: " + statType); } }
/** * @param certificateToken * the {@code CertificateToken} which is managed by this CRL. */ private void setRevocationStatus(final CertificateToken certificateToken) { final CertificateToken issuerToken = certificateToken.getIssuerToken(); if (!issuerToken.equals(crlValidity.getIssuerToken())) { if (!crlValidity.isSignatureIntact()) { throw new DSSException(crlValidity.getSignatureInvalidityReason()); } throw new DSSException("The CRLToken is not signed by the same issuer as the CertificateToken to be verified!"); } final BigInteger serialNumber = certificateToken.getSerialNumber(); X509CRLEntry crlEntry = CRLUtils.getRevocationInfo(crlValidity, serialNumber); status = null == crlEntry; if (!status) { revocationDate = crlEntry.getRevocationDate(); CRLReason revocationReason = crlEntry.getRevocationReason(); if (revocationReason != null) { reason = CRLReasonEnum.fromInt(revocationReason.ordinal()).name(); } } }
/** * This method is the overridden implementation of the getRevocationReason * method in X509CRLEntry. It is better performance-wise since it returns * cached values. */ @Override public CRLReason getRevocationReason() { Extension ext = getExtension(PKIXExtensions.ReasonCode_Id); if (ext == null) { return null; } CRLReasonCodeExtension rcExt = (CRLReasonCodeExtension) ext; return rcExt.getReasonCode(); }
/** * Return the reason as a CRLReason enum. */ public CRLReason getReasonCode() { // if out-of-range, return UNSPECIFIED if (reasonCode > 0 && reasonCode < values.length) { return values[reasonCode]; } else { return CRLReason.UNSPECIFIED; } }
public RevocationInfo toRevocationInfo() { RevocationInfo info; if (revoked) { info = new RevocationInfo(serialNumber, CRLReason.values()[Revocation.getCRLReasonFromString(revokeReason)], revokedAt, CertStatus.REVOKED); } else { info = new RevocationInfo(serialNumber, null, null, CertStatus.GOOD); } return info; }
private void initEntries() throws IOException { ObservableList<CRLEntryModel> entryItems = this.ctlEntryOptions.getItems(); for (UserCertStoreEntry issuedEntry : this.issuerEntryParam.get().issuedEntries()) { BigInteger issuedSerial = issuedEntry.getCRT().getSerialNumber(); boolean revoked = false; ReasonFlag reason = ReasonFlag.UNSPECIFIED; Date date = null; if (this.issuerEntryParam.get().hasCRL()) { X509CRL crl = this.issuerEntryParam.get().getCRL(); X509CRLEntry crlEntry = crl.getRevokedCertificate(issuedSerial); if (crlEntry != null) { revoked = true; CRLReason crlEntryReason = crlEntry.getRevocationReason(); if (crlEntryReason != null) { reason = ReasonFlag.fromCRLReason(crlEntryReason); } date = crlEntry.getRevocationDate(); } } entryItems.add(new CRLEntryModel(issuedEntry, revoked, issuedSerial, reason, date)); } entryItems.sort((o1, o2) -> o1.compareTo(o2)); }
/** * Get the reason flag instance for a specific {@link CRLReason}. * * @param reason The {@link CRLReason} to get the instance for. * @return The reason flag instance corresponding to the submitted {@link CRLReason}. */ public static synchronized ReasonFlag fromCRLReason(CRLReason reason) { ReasonFlag reasonFlag = null; for (ReasonFlag instance : instanceMap.values()) { if (instance.name().equals(reason.name())) { reasonFlag = instance; break; } } if (reasonFlag == null) { throw new IllegalArgumentException("Unexpected CRL reason: " + reason); } return reasonFlag; }
@Override public void checkClientTrusted(X509Certificate[] x509Certificates, String authType) throws CertificateException { if (x509Certificates != null) { for (X509Certificate cert : x509Certificates) { if (blacklist.isBlacklisted(cert)) { throw new CertificateRevokedException(new Date(), CRLReason.UNSPECIFIED, cert.getIssuerX500Principal(), Collections.emptyMap()); } } } delegate.checkClientTrusted(x509Certificates, authType); }