private String getDeltaCrlIndicatorStringValue(byte[] value) throws IOException { // @formatter:off /* * deltaCRLIndicator EXTENSION ::= { SYNTAX BaseCRLNumber IDENTIFIED BY * id-ce-deltaCRLIndicator } * * BaseCRLNumber ::= CRLNumber * * CRLNumber ::= ASN1Integer (0..MAX) */ // @formatter:on CRLNumber crlNumber = CRLNumber.getInstance(value); BigInteger crlNum = crlNumber.getCRLNumber(); return HexUtil.getHexString(crlNum) + NEWLINE; }
public static X509CRL createCRL( X509Certificate caCert, PrivateKey caKey, BigInteger serialNumber) throws Exception { X509V2CRLGenerator crlGen = new X509V2CRLGenerator(); Date now = new Date(); BigInteger revokedSerialNumber = BigInteger.valueOf(2); crlGen.setIssuerDN(PrincipalUtil.getSubjectX509Principal(caCert)); crlGen.setThisUpdate(now); crlGen.setNextUpdate(new Date(now.getTime() + 100000)); crlGen.setSignatureAlgorithm("SHA256WithRSAEncryption"); crlGen.addCRLEntry(serialNumber, now, CRLReason.privilegeWithdrawn); crlGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(caCert)); crlGen.addExtension(X509Extensions.CRLNumber, false, new CRLNumber(BigInteger.valueOf(1))); return crlGen.generate(caKey, "BC"); }
public static X509CRL createCRL(String provider, X509Certificate caCert, PrivateKey caKey, CRLEntry[] entries, Date expires, String signatureAlgorithm) throws Exception { X509V2CRLGenerator crlGen = new X509V2CRLGenerator(); Date now = new Date(); crlGen.setIssuerDN(new X509Name(caCert.getSubjectDN().getName())); crlGen.setThisUpdate(now); crlGen.setNextUpdate(expires); crlGen.setSignatureAlgorithm(signatureAlgorithm); for (int i = 0; i < entries.length; i++) { crlGen.addCRLEntry(entries[i].getCertificateSerialNumber(), now, entries[i].getReason()); } SubjectPublicKeyInfo apki = new SubjectPublicKeyInfo((ASN1Sequence) new DERInputStream( new ByteArrayInputStream(caCert.getPublicKey().getEncoded())).readObject()); crlGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifier(apki)); crlGen.addExtension(X509Extensions.CRLNumber, false, new CRLNumber(BigInteger.valueOf(System .currentTimeMillis()))); return crlGen.generateX509CRL(caKey, provider); }
@SuppressWarnings("deprecation") public X509CRL generateCRL(String caName) { try { CertificateAuthority ca = this.caRepository.findOneByName(caName); if(ca == null) { throw new RuntimeException("Error getting CRL for non existing CA: " + caName); } Date now = new Date(); Date nextUpdate = new Date(now.getYear(), now.getMonth(), now.getDate(), now.getHours() + 3, now.getMinutes()); X509V2CRLGenerator crlGenerator = new X509V2CRLGenerator(); String caDN = getCADN(ca); crlGenerator.setIssuerDN(new X500Principal(caDN)); crlGenerator.setThisUpdate(now); crlGenerator.setNextUpdate(nextUpdate); crlGenerator.setSignatureAlgorithm("SHA256withRSA"); X509Certificate caCertificate = new JcaX509CertificateConverter().getCertificate(ca.getIdentityContainer().getCertificate()); crlGenerator.addExtension(Extension.authorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(caCertificate)); crlGenerator.addExtension(Extension.cRLNumber, false, new CRLNumber(BigInteger.ONE)); X509CRL crl = crlGenerator.generateX509CRL(ca.getIdentityContainer().getPrivateKey(), BouncyCastleProvider.PROVIDER_NAME); return crl; } catch (Exception e) { throw new RuntimeException("Error while generating CRL: " + e.getMessage(), e); } }
public static X509CRL generateCrl(X509Certificate issuer, PrivateKey issuerPrivateKey) throws InvalidKeyException, CRLException, IllegalStateException, NoSuchAlgorithmException, SignatureException { X509V2CRLGenerator crlGenerator = new X509V2CRLGenerator(); crlGenerator.setIssuerDN(issuer.getSubjectX500Principal()); Date now = new Date(); crlGenerator.setThisUpdate(now); crlGenerator.setNextUpdate(new Date(now.getTime() + 100000)); crlGenerator.setSignatureAlgorithm("SHA1withRSA"); crlGenerator.addExtension(X509Extensions.CRLNumber, false, new CRLNumber(new BigInteger("1234"))); X509CRL x509Crl = crlGenerator.generate(issuerPrivateKey); return x509Crl; }
private String getCrlNumberStringValue(byte[] value) throws IOException { // @formatter:off /* CRLNumber ::= ASN1Integer (0..MAX) */ // @formatter:on StringBuilder sb = new StringBuilder(); CRLNumber crlNumber = CRLNumber.getInstance(value); sb.append(HexUtil.getHexString(crlNumber.getCRLNumber())); sb.append(NEWLINE); return sb.toString(); }
public static BigInteger getCrlNumber(X509CRL crl) throws IOException { byte[] crlNumEnc = crl.getExtensionValue(X509Extension.cRLNumber.getId()); BigInteger crlNum = null; // XAdES 7.4.2: "The 'number' element is an optional hint ..." if (crlNumEnc != null) { ASN1Object derCrlNum = X509ExtensionUtil.fromExtensionValue(crlNumEnc); crlNum = CRLNumber.getInstance(derCrlNum).getCRLNumber(); } return crlNum; }
public static X509CRL createCRL(String provider, X509Certificate caCert, PrivateKey caKey, CRLEntry[] entries, Date expires, String signatureAlgorithm) throws Exception { X509V2CRLGenerator crlGen = new X509V2CRLGenerator(); Date now = new Date(); crlGen.setIssuerDN(new X509Name(caCert.getSubjectDN().getName())); crlGen.setThisUpdate(now); crlGen.setNextUpdate(expires); crlGen.setSignatureAlgorithm(signatureAlgorithm); for (int i = 0; i < entries.length; i++) { crlGen.addCRLEntry(entries[i].getCertificateSerialNumber(), now, entries[i].getReason()); } SubjectPublicKeyInfo apki = new SubjectPublicKeyInfo((ASN1Sequence) new ASN1InputStream(new ByteArrayInputStream(caCert.getPublicKey().getEncoded())).readObject()); crlGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifier(apki)); crlGen.addExtension(X509Extensions.CRLNumber, false, new CRLNumber(BigInteger.valueOf(System.currentTimeMillis()))); return crlGen.generateX509CRL(caKey, provider); }
/** * Generate a CRL object. * * @param currentCRL The current CRL object in case of an update (may be {@code null}). * @param lastUpdate The last update timestamp to set. * @param nextUpdate The next update timestamp to set (may be {@code null}). * @param revokeEntries The revoked entries. * @param issuerDN The CRL issuer's DN. * @param issuerKey The CRL issuer's key pair. * @param signatureAlgorithm The signature algorithm to use for signing. * @return The generated CRL object. * @throws IOException if an error occurs during generation. */ public static X509CRL generateCRL(@Nullable X509CRL currentCRL, Date lastUpdate, @Nullable Date nextUpdate, Map<BigInteger, ReasonFlag> revokeEntries, X500Principal issuerDN, KeyPair issuerKey, SignatureAlgorithm signatureAlgorithm) throws IOException { LOG.info("CRL generation ''{0}'' started...", issuerDN); // Initialize CRL builder JcaX509v2CRLBuilder crlBuilder = new JcaX509v2CRLBuilder(issuerDN, lastUpdate); if (nextUpdate != null) { crlBuilder.setNextUpdate(nextUpdate); } for (Map.Entry<BigInteger, ReasonFlag> revokeEntry : revokeEntries.entrySet()) { crlBuilder.addCRLEntry(revokeEntry.getKey(), lastUpdate, revokeEntry.getValue().value()); } X509CRL crl; try { // Add extensions JcaX509ExtensionUtils extensionUtils = new JcaX509ExtensionUtils(); crlBuilder.addExtension(Extension.authorityKeyIdentifier, false, extensionUtils.createAuthorityKeyIdentifier(issuerKey.getPublic())); BigInteger nextCRLNumber = getNextCRLNumber(currentCRL); crlBuilder.addExtension(Extension.cRLNumber, false, new CRLNumber(nextCRLNumber)); // Sign and create CRL object ContentSigner crlSigner = new JcaContentSignerBuilder(signatureAlgorithm.algorithm()) .build(issuerKey.getPrivate()); crl = new JcaX509CRLConverter().getCRL(crlBuilder.build(crlSigner)); } catch (GeneralSecurityException | OperatorCreationException e) { throw new CertProviderException(e); } LOG.info("CRT generation ''{0}'' done", issuerDN); return crl; }
