protected Vector getCRLDistUrls(CRLDistPoint crlDistPoints) { Vector urls = new Vector(); if (crlDistPoints != null) { DistributionPoint[] distPoints = crlDistPoints.getDistributionPoints(); for (int i = 0; i < distPoints.length; i++) { DistributionPointName dp_name = distPoints[i].getDistributionPoint(); if (dp_name.getType() == DistributionPointName.FULL_NAME) { GeneralName[] generalNames = GeneralNames.getInstance(dp_name.getName()).getNames(); for (int j = 0; j < generalNames.length; j++) { if (generalNames[j].getTagNo() == GeneralName.uniformResourceIdentifier) { String url = ((DERIA5String) generalNames[j].getName()).getString(); urls.add(url); } } } } } return urls; }
public void performTest() throws Exception { DistributionPointName name = new DistributionPointName( new GeneralNames(new GeneralName(new X500Name("cn=test")))); ReasonFlags reasonFlags = new ReasonFlags(ReasonFlags.cACompromise); checkPoint(6, name, true, true, reasonFlags, true, true); checkPoint(2, name, false, false, reasonFlags, false, false); checkPoint(0, null, false, false, null, false, false); try { IssuingDistributionPoint.getInstance(new Object()); fail("getInstance() failed to detect bad object."); } catch (IllegalArgumentException e) { // expected } }
private void checkPoint( int size, DistributionPointName distributionPoint, boolean onlyContainsUserCerts, boolean onlyContainsCACerts, ReasonFlags onlySomeReasons, boolean indirectCRL, boolean onlyContainsAttributeCerts) throws IOException { IssuingDistributionPoint point = new IssuingDistributionPoint(distributionPoint, onlyContainsUserCerts, onlyContainsCACerts, onlySomeReasons, indirectCRL, onlyContainsAttributeCerts); checkValues(point, distributionPoint, onlyContainsUserCerts, onlyContainsCACerts, onlySomeReasons, indirectCRL, onlyContainsAttributeCerts); ASN1Sequence seq = ASN1Sequence.getInstance(ASN1Primitive.fromByteArray(point.getEncoded())); if (seq.size() != size) { fail("size mismatch"); } point = IssuingDistributionPoint.getInstance(seq); checkValues(point, distributionPoint, onlyContainsUserCerts, onlyContainsCACerts, onlySomeReasons, indirectCRL, onlyContainsAttributeCerts); }
public static CRLDistPoint createCrlDistributionPoints(List<String> crlUris, X500Name caSubject, X500Name crlSignerSubject) { ParamUtil.requireNonEmpty("crlUris", crlUris); int size = crlUris.size(); DistributionPoint[] points = new DistributionPoint[1]; GeneralName[] names = new GeneralName[size]; for (int i = 0; i < size; i++) { names[i] = new GeneralName(GeneralName.uniformResourceIdentifier, crlUris.get(i)); } // Distribution Point GeneralNames gns = new GeneralNames(names); DistributionPointName pointName = new DistributionPointName(gns); GeneralNames crlIssuer = null; if (crlSignerSubject != null && !crlSignerSubject.equals(caSubject)) { GeneralName crlIssuerName = new GeneralName(crlSignerSubject); crlIssuer = new GeneralNames(crlIssuerName); } points[0] = new DistributionPoint(pointName, null, crlIssuer); return new CRLDistPoint(points); }
public void performTest() throws Exception { DistributionPointName name = new DistributionPointName( new GeneralNames(new GeneralName(new X509Name("cn=test")))); ReasonFlags reasonFlags = new ReasonFlags(ReasonFlags.cACompromise); checkPoint(6, name, true, true, reasonFlags, true, true); checkPoint(2, name, false, false, reasonFlags, false, false); checkPoint(0, null, false, false, null, false, false); try { IssuingDistributionPoint.getInstance(new Object()); fail("getInstance() failed to detect bad object."); } catch (IllegalArgumentException e) { // expected } }
private void checkValues(IssuingDistributionPoint point, DistributionPointName distributionPoint, boolean onlyContainsUserCerts, boolean onlyContainsCACerts, ReasonFlags onlySomeReasons, boolean indirectCRL, boolean onlyContainsAttributeCerts) { if (point.onlyContainsUserCerts() != onlyContainsUserCerts) { fail("mismatch on onlyContainsUserCerts"); } if (point.onlyContainsCACerts() != onlyContainsCACerts) { fail("mismatch on onlyContainsCACerts"); } if (point.isIndirectCRL() != indirectCRL) { fail("mismatch on indirectCRL"); } if (point.onlyContainsAttributeCerts() != onlyContainsAttributeCerts) { fail("mismatch on onlyContainsAttributeCerts"); } if (!isEquiv(onlySomeReasons, point.getOnlySomeReasons())) { fail("mismatch on onlySomeReasons"); } if (!isEquiv(distributionPoint, point.getDistributionPoint())) { fail("mismatch on distributionPoint"); } }
/** * * @return A list of ulrs that inform the location of the certificate revocation lists * @throws IOException exception */ public List<String> getCRLDistributionPoint() throws IOException { List<String> crlUrls = new ArrayList<>(); ASN1Primitive primitive = getExtensionValue(Extension.cRLDistributionPoints.getId()); if (primitive == null) { return null; } CRLDistPoint crlDistPoint = CRLDistPoint.getInstance(primitive); DistributionPoint[] distributionPoints = crlDistPoint.getDistributionPoints(); for (DistributionPoint distributionPoint : distributionPoints) { DistributionPointName dpn = distributionPoint.getDistributionPoint(); // Look for URIs in fullName if (dpn != null) { if (dpn.getType() == DistributionPointName.FULL_NAME) { GeneralName[] genNames = GeneralNames.getInstance(dpn.getName()).getNames(); for (GeneralName genName : genNames) { if (genName.getTagNo() == GeneralName.uniformResourceIdentifier) { String url = DERIA5String.getInstance(genName.getName()).getString(); crlUrls.add(url); logger.info("Adicionando a url {}", url); } } } } } return crlUrls; }
private void addCRLSitributionPoints(String issuerName, X509v3CertificateBuilder v3CertGen) throws CertIOException { DistributionPointName distributionPoint = new DistributionPointName(new GeneralNames(new GeneralName(GeneralName.uniformResourceIdentifier, SERVER_BASE_REST_PKI_URL + issuerName + CRL_URL))); DistributionPoint[] distPoints = new DistributionPoint[1]; distPoints[0] = new DistributionPoint(distributionPoint, null, null); v3CertGen.addExtension(Extension.cRLDistributionPoints, false, new CRLDistPoint(distPoints)); }
public static List<String> getCrlDistributionPoints(byte[] crldpExt) throws CertificateParsingException, IOException { if (crldpExt == null) { return new ArrayList<String>(); } ASN1InputStream oAsnInStream = new ASN1InputStream( new ByteArrayInputStream(crldpExt)); DERObject derObjCrlDP = oAsnInStream.readObject(); DEROctetString dosCrlDP = (DEROctetString) derObjCrlDP; byte[] crldpExtOctets = dosCrlDP.getOctets(); ASN1InputStream oAsnInStream2 = new ASN1InputStream( new ByteArrayInputStream(crldpExtOctets)); DERObject derObj2 = oAsnInStream2.readObject(); CRLDistPoint distPoint = CRLDistPoint.getInstance(derObj2); List<String> crlUrls = new ArrayList<String>(); for (DistributionPoint dp : distPoint.getDistributionPoints()) { DistributionPointName dpn = dp.getDistributionPoint(); // Look for URIs in fullName if (dpn != null && dpn.getType() == DistributionPointName.FULL_NAME) { GeneralName[] genNames = GeneralNames .getInstance(dpn.getName()).getNames(); // Look for an URI for (int j = 0; j < genNames.length; j++) { if (genNames[j].getTagNo() == GeneralName.uniformResourceIdentifier) { String url = DERIA5String.getInstance( genNames[j].getName()).getString(); crlUrls.add(url); } } } } return crlUrls; }
public static List<String> getCrlDistributionPoints(byte[] crldpExt) throws CertificateParsingException, IOException { if (crldpExt == null) { return new ArrayList<String>(); } ASN1InputStream oAsnInStream = new ASN1InputStream( new ByteArrayInputStream(crldpExt)); ASN1Primitive derObjCrlDP = oAsnInStream.readObject(); DEROctetString dosCrlDP = (DEROctetString) derObjCrlDP; byte[] crldpExtOctets = dosCrlDP.getOctets(); ASN1InputStream oAsnInStream2 = new ASN1InputStream( new ByteArrayInputStream(crldpExtOctets)); ASN1Primitive derObj2 = oAsnInStream2.readObject(); CRLDistPoint distPoint = CRLDistPoint.getInstance(derObj2); List<String> crlUrls = new ArrayList<String>(); for (DistributionPoint dp : distPoint.getDistributionPoints()) { DistributionPointName dpn = dp.getDistributionPoint(); // Look for URIs in fullName if (dpn != null && dpn.getType() == DistributionPointName.FULL_NAME) { GeneralName[] genNames = GeneralNames .getInstance(dpn.getName()).getNames(); // Look for an URI for (int j = 0; j < genNames.length; j++) { if (genNames[j].getTagNo() == GeneralName.uniformResourceIdentifier) { String url = DERIA5String.getInstance( genNames[j].getName()).getString(); crlUrls.add(url); } } } } return crlUrls; }
public static CrlDistPointExtension create(final NameType distribPointNameType, final String distribPointName, final NameType crlIssuerNameType, final String crlIssuer, final ReasonFlags reasons) { final DistributionPointName dp = new DistributionPointName( distribPointNameType.generalNames(distribPointName)); final GeneralNames crl; if (crlIssuerNameType != null && crlIssuer != null) { crl = crlIssuerNameType.generalNames(crlIssuer); } else { crl = null; } return create(dp, reasons, crl); }
protected void checkCriticalExtensions(CRLValidity validity, Collection<String> criticalExtensionsOid, byte[] issuingDistributionPointBinary) { if (criticalExtensionsOid == null || criticalExtensionsOid.isEmpty()) { validity.setUnknownCriticalExtension(false); } else { IssuingDistributionPoint issuingDistributionPoint = IssuingDistributionPoint .getInstance(ASN1OctetString.getInstance(issuingDistributionPointBinary).getOctets()); final boolean onlyAttributeCerts = issuingDistributionPoint.onlyContainsAttributeCerts(); final boolean onlyCaCerts = issuingDistributionPoint.onlyContainsCACerts(); final boolean onlyUserCerts = issuingDistributionPoint.onlyContainsUserCerts(); final boolean indirectCrl = issuingDistributionPoint.isIndirectCRL(); ReasonFlags onlySomeReasons = issuingDistributionPoint.getOnlySomeReasons(); DistributionPointName distributionPoint = issuingDistributionPoint.getDistributionPoint(); boolean urlFound = false; if (DistributionPointName.FULL_NAME == distributionPoint.getType()) { final GeneralNames generalNames = (GeneralNames) distributionPoint.getName(); if ((generalNames != null) && (generalNames.getNames() != null && generalNames.getNames().length > 0)) { for (GeneralName generalName : generalNames.getNames()) { if (GeneralName.uniformResourceIdentifier == generalName.getTagNo()) { ASN1String str = (ASN1String) ((DERTaggedObject) generalName.toASN1Primitive()).getObject(); validity.setUrl(str.getString()); urlFound = true; } } } } if (!(onlyAttributeCerts && onlyCaCerts && onlyUserCerts && indirectCrl) && (onlySomeReasons == null) && urlFound) { validity.setUnknownCriticalExtension(false); } } }
/** * Gives back the {@code List} of CRL URI meta-data found within the given X509 certificate. * * @param certificateToken * the cert token certificate * @param checkInTrustAnchors * if true, the method will search in the ServiceSupplyPoint urls * @return the {@code List} of CRL URI, or empty list if the extension is not present */ public static List<String> getCrlUrls(final CertificateToken certificateToken, boolean checkInTrustAnchors) { final List<String> urls = new ArrayList<String>(); final byte[] crlDistributionPointsBytes = certificateToken.getCertificate().getExtensionValue(Extension.cRLDistributionPoints.getId()); if (crlDistributionPointsBytes != null) { try { final ASN1Sequence asn1Sequence = DSSASN1Utils.getAsn1SequenceFromDerOctetString(crlDistributionPointsBytes); final CRLDistPoint distPoint = CRLDistPoint.getInstance(asn1Sequence); final DistributionPoint[] distributionPoints = distPoint.getDistributionPoints(); for (final DistributionPoint distributionPoint : distributionPoints) { final DistributionPointName distributionPointName = distributionPoint.getDistributionPoint(); if (DistributionPointName.FULL_NAME != distributionPointName.getType()) { continue; } final GeneralNames generalNames = (GeneralNames) distributionPointName.getName(); final GeneralName[] names = generalNames.getNames(); for (final GeneralName name : names) { String location = parseGn(name); if (location != null) { urls.add(location); } } } } catch (Exception e) { LOG.error("Unable to parse cRLDistributionPoints", e); } } if (Utils.isCollectionEmpty(urls) && checkInTrustAnchors) { return getServiceSupplyPoints(certificateToken, "crl", "certificateRevocationList"); } return urls; }
public String getCrlUri(X509Certificate certificate) throws IOException { ASN1Primitive obj; try { obj = getExtensionValue(certificate, Extension.cRLDistributionPoints.getId()); } catch (IOException ex) { log.error("Failed to get CRL URL", ex); return null; } if (obj == null) { return null; } CRLDistPoint distPoint = CRLDistPoint.getInstance(obj); DistributionPoint[] distributionPoints = distPoint.getDistributionPoints(); for (DistributionPoint distributionPoint : distributionPoints) { DistributionPointName distributionPointName = distributionPoint.getDistributionPoint(); if (DistributionPointName.FULL_NAME != distributionPointName.getType()) { continue; } GeneralNames generalNames = (GeneralNames) distributionPointName.getName(); GeneralName[] names = generalNames.getNames(); for (GeneralName name : names) { if (name.getTagNo() != GeneralName.uniformResourceIdentifier) { continue; } DERIA5String derStr = DERIA5String.getInstance((ASN1TaggedObject) name.toASN1Primitive(), false); return derStr.getString(); } } return null; }
/** * Extracts all CRL distribution point URLs from the "CRL Distribution Point" * extension in a X.509 certificate. If CRL distribution point extension is * unavailable, returns an empty list. */ public static List<String> getCrlDistributionPoints( X509Certificate cert) throws CertificateParsingException, IOException { byte[] crldpExt = cert.getExtensionValue( X509Extensions.CRLDistributionPoints.getId()); ASN1InputStream oAsnInStream = new ASN1InputStream( new ByteArrayInputStream(crldpExt)); ASN1Primitive derObjCrlDP = oAsnInStream.readObject(); DEROctetString dosCrlDP = (DEROctetString) derObjCrlDP; byte[] crldpExtOctets = dosCrlDP.getOctets(); ASN1InputStream oAsnInStream2 = new ASN1InputStream( new ByteArrayInputStream(crldpExtOctets)); ASN1Primitive derObj2 = oAsnInStream2.readObject(); CRLDistPoint distPoint = CRLDistPoint.getInstance(derObj2); List<String> crlUrls = new ArrayList<String>(); for (DistributionPoint dp : distPoint.getDistributionPoints()) { System.out.println(dp); DistributionPointName dpn = dp.getDistributionPoint(); // Look for URIs in fullName if (dpn != null) { if (dpn.getType() == DistributionPointName.FULL_NAME) { GeneralName[] genNames = GeneralNames.getInstance( dpn.getName()).getNames(); // Look for an URI for (int j = 0; j < genNames.length; j++) { if (genNames[j].getTagNo() == GeneralName.uniformResourceIdentifier) { String url = DERIA5String.getInstance( genNames[j].getName()).getString(); crlUrls.add(url); } } } } } return crlUrls; }
protected static void addAdditionalStoresFromCRLDistributionPoint( CRLDistPoint crldp, ExtendedPKIXParameters pkixParams) throws AnnotatedException { if (crldp != null) { DistributionPoint dps[] = null; try { dps = crldp.getDistributionPoints(); } catch (Exception e) { throw new AnnotatedException( "Distribution points could not be read.", e); } for (int i = 0; i < dps.length; i++) { DistributionPointName dpn = dps[i].getDistributionPoint(); // look for URIs in fullName if (dpn != null) { if (dpn.getType() == DistributionPointName.FULL_NAME) { GeneralName[] genNames = GeneralNames.getInstance( dpn.getName()).getNames(); // look for an URI for (int j = 0; j < genNames.length; j++) { if (genNames[j].getTagNo() == GeneralName.uniformResourceIdentifier) { String location = DERIA5String.getInstance( genNames[j].getName()).getString(); CertPathValidatorUtilities .addAdditionalStoreFromLocation(location, pkixParams); } } } } } } }
/** * Get extension value for CRL Distribution Points as a string. * * @param bValue The octet string value * @return Extension value as a string * @throws IOException If an I/O problem occurs */ private String getCrlDistributionPointsStringValue(byte[] bValue) throws IOException { CRLDistPoint dps = CRLDistPoint.getInstance(bValue); DistributionPoint[] points = dps.getDistributionPoints(); StringBuilder sb = new StringBuilder(); sb.append("<ul>"); for (DistributionPoint point : points) { DistributionPointName dpn; if ((dpn = point.getDistributionPoint()) != null) { sb.append("<li>"); switch (dpn.getType()) { case DistributionPointName.FULL_NAME: sb.append(RB.getString("CrlDistributionPoint.0.0")); sb.append(": "); sb.append(getGeneralNamesString((GeneralNames) dpn.getName(), LinkClass.CRL)); break; case DistributionPointName.NAME_RELATIVE_TO_CRL_ISSUER: sb.append(RB.getString("CrlDistributionPoint.0.1")); sb.append(": "); // TODO: need better decode? sb.append(stringify(dpn.getName())); break; default: sb.append(RB.getString("UnknownCrlDistributionPointName")); sb.append(": "); sb.append(stringify(dpn.getName())); break; } sb.append("</li>"); } ReasonFlags flags; if ((flags = point.getReasons()) != null) { sb.append("<li>"); sb.append(RB.getString("CrlDistributionPoint.1")); sb.append(": "); // TODO: decode sb.append(stringify(flags)); sb.append("</li>"); } GeneralNames issuer; if ((issuer = point.getCRLIssuer()) != null) { sb.append("<li>"); sb.append(RB.getString("CrlDistributionPoint.2")); sb.append(": "); sb.append(getGeneralNamesString(issuer, LinkClass.CRL)); sb.append("</li>"); } } sb.append("</ul>"); return sb.toString(); }
static List<PKIXCRLStore> getAdditionalStoresFromCRLDistributionPoint(CRLDistPoint crldp, Map<GeneralName, PKIXCRLStore> namedCRLStoreMap) throws AnnotatedException { if (crldp != null) { DistributionPoint dps[] = null; try { dps = crldp.getDistributionPoints(); } catch (Exception e) { throw new AnnotatedException( "Distribution points could not be read.", e); } List<PKIXCRLStore> stores = new ArrayList<PKIXCRLStore>(); for (int i = 0; i < dps.length; i++) { DistributionPointName dpn = dps[i].getDistributionPoint(); // look for URIs in fullName if (dpn != null) { if (dpn.getType() == DistributionPointName.FULL_NAME) { GeneralName[] genNames = GeneralNames.getInstance( dpn.getName()).getNames(); for (int j = 0; j < genNames.length; j++) { PKIXCRLStore store = namedCRLStoreMap.get(genNames[j]); if (store != null) { stores.add(store); } } } } } return stores; } else { return Collections.EMPTY_LIST; } }
/** * Extracts all CRL distribution point URLs from the * "CRL Distribution Point" extension in a X.509 certificate. If CRL * distribution point extension is unavailable, returns an empty list. */ public static List<String> getCrlDistributionPoints(X509Certificate cert) throws CertificateParsingException, IOException { byte[] crldpExt = cert.getExtensionValue(X509Extension.cRLDistributionPoints.getId()); if (crldpExt == null) { return new ArrayList<String>(); } ASN1InputStream oAsnInStream = null; ASN1InputStream oAsnInStream2 = null; try { oAsnInStream = new ASN1InputStream(new ByteArrayInputStream(crldpExt)); DERObject derObjCrlDP = oAsnInStream.readObject(); DEROctetString dosCrlDP = (DEROctetString) derObjCrlDP; byte[] crldpExtOctets = dosCrlDP.getOctets(); oAsnInStream2 = new ASN1InputStream(new ByteArrayInputStream(crldpExtOctets)); DERObject derObj2 = oAsnInStream2.readObject(); CRLDistPoint distPoint = CRLDistPoint.getInstance(derObj2); List<String> crlUrls = new ArrayList<String>(); for (DistributionPoint dp : distPoint.getDistributionPoints()) { DistributionPointName dpn = dp.getDistributionPoint(); // Look for URIs in fullName if (dpn != null && dpn.getType() == DistributionPointName.FULL_NAME) { GeneralName[] genNames = GeneralNames.getInstance(dpn.getName()).getNames(); // Look for an URI for (int j = 0; j < genNames.length; j++) { if (genNames[j].getTagNo() == GeneralName.uniformResourceIdentifier) { String url = DERIA5String.getInstance(genNames[j].getName()).getString(); crlUrls.add(url); } } } } return crlUrls; } finally { if (oAsnInStream != null) { oAsnInStream.close(); } if (oAsnInStream2 != null) { oAsnInStream2.close(); } } }
private String getIssuingDistributionPointStringValue(byte[] value) throws IOException { // @formatter:off /* * IssuingDistributionPoint ::= ASN1Sequence { * distributionPoint [0] DistributionPointName OPTIONAL, * onlyContainsUserCerts [1] ASN1Boolean DEFAULT FALSE, * onlyContainsCACerts [2] ASN1Boolean DEFAULT FALSE, * onlySomeReasons [3] ReasonFlags OPTIONAL, * indirectCRL [4] ASN1Boolean DEFAULT FALSE, * onlyContainsAttributeCerts [5] ASN1Boolean DEFAULT FALSE } */ // @formatter:on /* * Getting any DEFAULTS returns a false ASN1Boolean when no value * present which saves the bother of a null check */ StringBuilder sb = new StringBuilder(); IssuingDistributionPoint issuingDistributionPoint = IssuingDistributionPoint.getInstance(value); DistributionPointName distributionPointName = issuingDistributionPoint.getDistributionPoint(); if (distributionPointName != null) { // Optional sb.append(getDistributionPointNameString(distributionPointName, "")); } boolean onlyContainsUserCerts = issuingDistributionPoint.onlyContainsUserCerts(); sb.append(MessageFormat.format(res.getString("OnlyContainsUserCerts"), onlyContainsUserCerts)); sb.append(NEWLINE); boolean onlyContainsCaCerts = issuingDistributionPoint.onlyContainsCACerts(); sb.append(MessageFormat.format(res.getString("OnlyContainsCaCerts"), onlyContainsCaCerts)); sb.append(NEWLINE); ReasonFlags onlySomeReasons = issuingDistributionPoint.getOnlySomeReasons(); if (onlySomeReasons != null) {// Optional sb.append(res.getString("OnlySomeReasons")); sb.append(NEWLINE); String[] reasonFlags = getReasonFlagsStrings(onlySomeReasons); for (String reasonFlag : reasonFlags) { sb.append(INDENT); sb.append(reasonFlag); sb.append(NEWLINE); } } boolean indirectCrl = issuingDistributionPoint.isIndirectCRL(); sb.append(MessageFormat.format(res.getString("IndirectCrl"), indirectCrl)); sb.append(NEWLINE); boolean onlyContainsAttributeCerts = issuingDistributionPoint.onlyContainsAttributeCerts(); sb.append(MessageFormat.format(res.getString("OnlyContainsAttributeCerts"), onlyContainsAttributeCerts)); sb.append(NEWLINE); return sb.toString(); }
private String getDistributionPointString(DistributionPoint distributionPoint, String baseIndent) throws IOException { // @formatter:off /* * DistributionPoint ::= ASN1Sequence { * distributionPoint [0] DistributionPointName OPTIONAL, * reasons [1] ReasonFlags OPTIONAL, * cRLIssuer [2] GeneralNames OPTIONAL * } * * GeneralNames ::= ASN1Sequence SIZE (1..MAX) OF GeneralName */ // @formatter:on StringBuilder sb = new StringBuilder(); DistributionPointName distributionPointName = distributionPoint.getDistributionPoint(); ReasonFlags reasons = distributionPoint.getReasons(); GeneralNames crlIssuer = distributionPoint.getCRLIssuer(); if (distributionPointName != null) { // Optional sb.append(getDistributionPointNameString(distributionPointName, baseIndent)); } if (reasons != null) { // Optional sb.append(baseIndent); sb.append(res.getString("DistributionPointReasons")); sb.append(NEWLINE); String[] reasonFlags = getReasonFlagsStrings(reasons); for (String reasonFlag : reasonFlags) { sb.append(baseIndent); sb.append(INDENT); sb.append(reasonFlag); sb.append(NEWLINE); } } if (crlIssuer != null) { // Optional sb.append(baseIndent); sb.append(res.getString("DistributionPointCrlIssuer")); sb.append(NEWLINE); for (GeneralName generalName : crlIssuer.getNames()) { sb.append(baseIndent); sb.append(INDENT); sb.append(GeneralNameUtil.toString(generalName)); sb.append(NEWLINE); } } return sb.toString(); }
private String getDistributionPointNameString(DistributionPointName distributionPointName, String baseIndent) throws IOException { // @formatter:off /* * DistributionPointName ::= CHOICE { * fullname [0] GeneralNames, * nameRelativeToCRLIssuer [1] RelativeDistinguishedName * } * * RelativeDistinguishedName ::= SET SIZE (1 .. MAX) OF * AttributeTypeAndValue * * AttributeTypeAndValue ::= ASN1Sequence { type AttributeType, value * AttributeValue } */ // @formatter: on StringBuilder sb = new StringBuilder(); sb.append(baseIndent); sb.append(res.getString("DistributionPointName")); sb.append(NEWLINE); if (distributionPointName.getType() == DistributionPointName.FULL_NAME) { sb.append(baseIndent); sb.append(INDENT); sb.append(res.getString("DistributionPointFullName")); sb.append(NEWLINE); GeneralNames generalNames = GeneralNames.getInstance(distributionPointName.getName()); for (GeneralName generalName : generalNames.getNames()) { sb.append(baseIndent); sb.append(INDENT); sb.append(INDENT); sb.append(GeneralNameUtil.toString(generalName)); sb.append(NEWLINE); } } else { // DistributionPointName.TAG_NAMERELATIVETOCRLISSUER sb.append(baseIndent); sb.append(INDENT); sb.append(res.getString("DistributionPointNameRelativeToCrlIssuer")); sb.append(NEWLINE); RDN rdn = RDN.getInstance(distributionPointName.getName()); for (AttributeTypeAndValue attributeTypeAndValue : rdn.getTypesAndValues()) { ASN1ObjectIdentifier attributeType = attributeTypeAndValue.getType(); ASN1Encodable attributeValue = attributeTypeAndValue.getValue(); String attributeTypeStr = getAttributeTypeString(attributeType); String attributeValueStr = getAttributeValueString(attributeType, attributeValue); sb.append(baseIndent); sb.append(INDENT); sb.append(INDENT); sb.append(MessageFormat.format("{0}={1}", attributeTypeStr, attributeValueStr)); sb.append(NEWLINE); } } return sb.toString(); }
/** * Extracts all CRL distribution point URLs from the * "CRL Distribution Point" extension in a X.509 certificate. If CRL * distribution point extension is unavailable, returns an empty list. */ public static List<String> getCrlDistributionPoints(X509Certificate cert) { ASN1InputStream oAsnInStream = null; ASN1InputStream oAsnInStream2 = null; try { byte[] crldpExt = cert.getExtensionValue(Extension.cRLDistributionPoints.getId()); if (crldpExt == null) { List<String> emptyList = new ArrayList<String>(); return emptyList; } oAsnInStream = new ASN1InputStream(new ByteArrayInputStream(crldpExt)); ASN1Primitive derObjCrlDP = oAsnInStream.readObject(); DEROctetString dosCrlDP = (DEROctetString) derObjCrlDP; byte[] crldpExtOctets = dosCrlDP.getOctets(); oAsnInStream2 = new ASN1InputStream(new ByteArrayInputStream(crldpExtOctets)); ASN1Primitive derObj2 = oAsnInStream2.readObject(); CRLDistPoint distPoint = CRLDistPoint.getInstance(derObj2); List<String> crlUrls = new ArrayList<String>(); for (DistributionPoint dp : distPoint.getDistributionPoints()) { DistributionPointName dpn = dp.getDistributionPoint(); // Look for URIs in fullName if (dpn != null) { if (dpn.getType() == DistributionPointName.FULL_NAME) { GeneralName[] genNames = GeneralNames.getInstance(dpn.getName()).getNames(); // Look for an URI for (int j = 0; j < genNames.length; j++) { if (genNames[j].getTagNo() == GeneralName.uniformResourceIdentifier) { String url = DERIA5String.getInstance(genNames[j].getName()).getString(); crlUrls.add(url); } } } } } return crlUrls; } catch (IOException ex) { throw new RuntimeException(ex); } finally { org.apache.commons.io.IOUtils.closeQuietly(oAsnInStream); org.apache.commons.io.IOUtils.closeQuietly(oAsnInStream2); } }
public static CrlDistPointExtension create(final DistributionPointName distributionPoint, final ReasonFlags reasons, final GeneralNames cRLIssuer) { final DistributionPoint p = new DistributionPoint(distributionPoint, reasons, cRLIssuer); return create(p); }
/** * Gives back the CRL URI meta-data found within the given X509 certificate. * * @param certificate * the X509 certificate. * @return the CRL URI, or <code>null</code> if the extension is not * present. */ public static URI getCrlUri(X509Certificate certificate) { byte[] crlDistributionPointsValue = certificate .getExtensionValue(Extension.cRLDistributionPoints.getId()); if (null == crlDistributionPointsValue) { return null; } ASN1Sequence seq; try { DEROctetString oct; oct = (DEROctetString) (new ASN1InputStream( new ByteArrayInputStream(crlDistributionPointsValue)) .readObject()); seq = (ASN1Sequence) new ASN1InputStream(oct.getOctets()) .readObject(); } catch (IOException e) { throw new RuntimeException("IO error: " + e.getMessage(), e); } CRLDistPoint distPoint = CRLDistPoint.getInstance(seq); DistributionPoint[] distributionPoints = distPoint .getDistributionPoints(); for (DistributionPoint distributionPoint : distributionPoints) { DistributionPointName distributionPointName = distributionPoint .getDistributionPoint(); if (DistributionPointName.FULL_NAME != distributionPointName .getType()) { continue; } GeneralNames generalNames = (GeneralNames) distributionPointName .getName(); GeneralName[] names = generalNames.getNames(); for (GeneralName name : names) { if (name.getTagNo() != GeneralName.uniformResourceIdentifier) { LOG.debug("not a uniform resource identifier"); continue; } DERIA5String derStr = DERIA5String.getInstance(name.getName()); String str = derStr.getString(); if (false == str.startsWith("http")) { /* * skip ldap:// protocols */ LOG.debug("not HTTP/HTTPS: " + str); continue; } URI uri = toURI(str); return uri; } } return null; }
public static DistributionPoint getDistributionPoint(String uri) { GeneralName gn = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(uri)); GeneralNames gns = new GeneralNames(gn); DistributionPointName dpn = new DistributionPointName(0, gns); return new DistributionPoint(dpn, null, null); }
private static List<String> getCrlDistPoints(X509Certificate cert) throws Exception { byte[] crlDistPointExt = cert.getExtensionValue(X509Extension.cRLDistributionPoints.getId()); if (crlDistPointExt == null) { List<String> emptyList = new ArrayList<String>(); return emptyList; } ASN1InputStream asnInStream = new ASN1InputStream(new ByteArrayInputStream(crlDistPointExt)); ASN1Primitive derObjCrlDistPoint = asnInStream.readObject(); DEROctetString derOctStrCrlDistPoint = (DEROctetString) derObjCrlDistPoint; byte[] crlDistPointBytes = derOctStrCrlDistPoint.getOctets(); ASN1InputStream asnInStream2 = new ASN1InputStream(new ByteArrayInputStream(crlDistPointBytes)); ASN1Primitive derObjCrlDistPoint2 = asnInStream2.readObject(); CRLDistPoint crlDistPoints = CRLDistPoint.getInstance(derObjCrlDistPoint2); List<String> crlUrls = new ArrayList<String>(); for (DistributionPoint dPoint: crlDistPoints.getDistributionPoints()) { DistributionPointName dPointName = dPoint.getDistributionPoint(); if (dPointName != null) { if (dPointName.getType() == DistributionPointName.FULL_NAME) { GeneralName[] genNames = GeneralNames.getInstance(dPointName.getName()).getNames(); for (int j = 0; j < genNames.length; j++) { if (genNames[j].getTagNo() == GeneralName.uniformResourceIdentifier) { String url = DERIA5String.getInstance(genNames[j].getName()).getString(); crlUrls.add(url); } } } } } asnInStream.close(); asnInStream2.close(); return crlUrls; }
private void checkExtensionCrlDistributionPoints(StringBuilder failureMsg, byte[] extensionValue, X509IssuerInfo issuerInfo) { CRLDistPoint isCrlDistPoints = CRLDistPoint.getInstance(extensionValue); DistributionPoint[] isDistributionPoints = isCrlDistPoints.getDistributionPoints(); if (isDistributionPoints == null) { addViolation(failureMsg, "size of CRLDistributionPoints", 0, 1); return; } else { int len = isDistributionPoints.length; if (len != 1) { addViolation(failureMsg, "size of CRLDistributionPoints", len, 1); return; } } Set<String> isCrlUrls = new HashSet<>(); for (DistributionPoint entry : isDistributionPoints) { int asn1Type = entry.getDistributionPoint().getType(); if (asn1Type != DistributionPointName.FULL_NAME) { addViolation(failureMsg, "tag of DistributionPointName of CRLDistibutionPoints", asn1Type, DistributionPointName.FULL_NAME); continue; } GeneralNames isDistributionPointNames = GeneralNames.getInstance(entry.getDistributionPoint().getName()); GeneralName[] names = isDistributionPointNames.getNames(); for (int i = 0; i < names.length; i++) { GeneralName name = names[i]; if (name.getTagNo() != GeneralName.uniformResourceIdentifier) { addViolation(failureMsg, "tag of CRL URL", name.getTagNo(), GeneralName.uniformResourceIdentifier); } else { String uri = ((ASN1String) name.getName()).getString(); isCrlUrls.add(uri); } } Set<String> expCrlUrls = issuerInfo.crlUrls(); Set<String> diffs = strInBnotInA(expCrlUrls, isCrlUrls); if (CollectionUtil.isNonEmpty(diffs)) { failureMsg.append("CRL URLs ").append(diffs.toString()) .append(" are present but not expected; "); } diffs = strInBnotInA(isCrlUrls, expCrlUrls); if (CollectionUtil.isNonEmpty(diffs)) { failureMsg.append("CRL URLs ").append(diffs.toString()) .append(" are absent but are required; "); } } }
