org.bouncycastle.cert.X509CRLHolder Java Examples

private static MgmtResponse.ByteArray toByteArray(MgmtAction action, X509CRLHolder crl)
    throws MyException {
  if (crl == null) {
    return new MgmtResponse.ByteArray(null);
  }

  byte[] encoded;
  try {
    encoded = crl.getEncoded();
  } catch (IOException ex) {
    LOG.error(action + ": could not encode the generated CRL", ex);
    throw new MyException(HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
        "could not encode the generated CRL");
  }

  return new MgmtResponse.ByteArray(encoded);
}
 

@Override
public X509CRLHolder downloadCrl(String caName, BigInteger crlNumber, ReqRespDebug debug)
    throws CmpClientException, PkiErrorException {
  caName = Args.toNonBlankLower(caName, "caName");
  initIfNotInitialized();

  CaConf ca = casMap.get(caName);
  if (ca == null) {
    throw new IllegalArgumentException("unknown CA " + caName);
  }

  CmpAgent agent = ca.getAgent();
  X509CRLHolder result = (crlNumber == null) ? agent.downloadCurrentCrl(debug)
        : agent.downloadCrl(crlNumber, debug);

  return result;
}
 

@Test
public void testGetX509CRLFromCRLHolder() throws IOException,
    OperatorCreationException, CertificateException, CRLException {

  X500Name issuer = x509CertificateHolder.getIssuer();
  Date now = new Date();
  X509v2CRLBuilder builder = new X509v2CRLBuilder(issuer, now);
  builder.addCRLEntry(x509CertificateHolder.getSerialNumber(), now,
                      CRLReason.cACompromise);

  JcaContentSignerBuilder contentSignerBuilder =
      new JcaContentSignerBuilder(securityConfig.getSignatureAlgo());

  contentSignerBuilder.setProvider(securityConfig.getProvider());
  PrivateKey privateKey = keyPair.getPrivate();
  X509CRLHolder cRLHolder =
      builder.build(contentSignerBuilder.build(privateKey));

  CRLCodec crlCodec = new CRLCodec(securityConfig);

  X509CRL crl = crlCodec.getX509CRL(cRLHolder);
  assertNotNull(crl);
}
 

@Override
protected Object execute0() throws Exception {
  MgmtEntry.Ca ca = caManager.getCa(caName);
  if (ca == null) {
    throw new CmdFailure("CA " + caName + " not available");
  }

  X509CRLHolder crl = null;
  try {
    crl = retrieveCrl();
  } catch (Exception ex) {
    throw new CmdFailure("received no CRL from server: " + ex.getMessage());
  }

  if (crl == null) {
    throw new CmdFailure("received no CRL from server");
  }

  String outFile = getOutFile();
  if (outFile != null) {
    saveVerbose("saved CRL to file", outFile, encodeCrl(crl.getEncoded(), outform));
  }
  return null;
}
 

private static void setUpKeyStores() throws Exception {
    File workingDir = new File(WORKING_DIRECTORY_LOCATION);
    if (workingDir.exists() == false) {
        workingDir.mkdirs();
    }

    SelfSignedX509CertificateAndSigningKey issuerSelfSignedX509CertificateAndSigningKey = createIssuer();
    KeyStore trustStore = createTrustStore(issuerSelfSignedX509CertificateAndSigningKey);

    KeyStore fireflyKeyStore = createFireflyKeyStore(issuerSelfSignedX509CertificateAndSigningKey);
    KeyStore localhostKeyStore = createLocalhostKeyStore(issuerSelfSignedX509CertificateAndSigningKey);

    createTemporaryKeyStoreFile(trustStore, TRUST_FILE);
    createTemporaryKeyStoreFile(fireflyKeyStore, FIREFLY_FILE);
    createTemporaryKeyStoreFile(localhostKeyStore, LOCALHOST_FILE);

    X509CRLHolder crlHolder = createCRL();
    createTemporaryCRLFile(crlHolder, CRL_FILE);
}
 

private SignedData getCrl(X509Ca ca, BigInteger serialNumber)
    throws FailInfoException, OperationException {
  if (!control.isSupportGetCrl()) {
    throw FailInfoException.BAD_REQUEST;
  }

  CertificateList crl = ca.getBcCurrentCrl();
  if (crl == null) {
    LOG.error("found no CRL");
    throw FailInfoException.BAD_REQUEST;
  }
  CMSSignedDataGenerator cmsSignedDataGen = new CMSSignedDataGenerator();
  cmsSignedDataGen.addCRL(new X509CRLHolder(crl));

  CMSSignedData signedData;
  try {
    signedData = cmsSignedDataGen.generate(new CMSAbsentContent());
  } catch (CMSException ex) {
    LogUtil.error(LOG, ex, "could not generate CMSSignedData");
    throw new OperationException(ErrorCode.SYSTEM_FAILURE, ex);
  }
  return SignedData.getInstance(signedData.toASN1Structure().getContent());
}
 

@Override
public X509CRLHolder generateCrlOnDemand(String caName) throws CaMgmtException {
  caName = Args.toNonBlankLower(caName, "caName");

  X509Ca ca = getX509Ca(caName);
  try {
    return ca.generateCrlOnDemand(CaAuditConstants.MSGID_ca_mgmt);
  } catch (OperationException ex) {
    throw new CaMgmtException(ex.getMessage(), ex);
  }
}
 

private ContentInfo createSignedData(CertificateList crl) throws CaException {
  CMSSignedDataGenerator cmsSignedDataGen = new CMSSignedDataGenerator();
  cmsSignedDataGen.addCRL(new X509CRLHolder(crl));

  CMSSignedData cmsSigneddata;
  try {
    cmsSigneddata = cmsSignedDataGen.generate(new CMSAbsentContent());
  } catch (CMSException ex) {
    throw new CaException(ex.getMessage(), ex);
  }

  return cmsSigneddata.toASN1Structure();
}
 

@Override
protected Object execute0() throws Exception {
  X509Cert cert = X509Util.parseCert(new File(certFile));
  ScepClient client = getScepClient();
  X509CRLHolder crl = client.scepGetCrl(getIdentityKey(), getIdentityCert(),
      cert.getIssuer(), cert.getSerialNumber());
  if (crl == null) {
    throw new CmdFailure("received no CRL from server");
  }

  saveVerbose("saved CRL to file", outputFile, encodeCrl(crl.getEncoded(), outform));
  return null;
}
 

@Override
protected X509CRLHolder retrieveCrl() throws CmpClientException, PkiErrorException {
  ReqRespDebug debug = getReqRespDebug();
  try {
    return client.generateCrl(caName, debug);
  } finally {
    saveRequestResponse(debug);
  }
}
 

@Override
protected X509CRLHolder retrieveCrl() throws CmpClientException, PkiErrorException {
  ReqRespDebug debug = getReqRespDebug();
  try {
    return client.downloadCrl(caName, debug);
  } finally {
    saveRequestResponse(debug);
  }
}
 

@Override
protected Object execute0() throws Exception {
  if (caName != null) {
    caName = caName.toLowerCase();
  }

  Set<String> caNames = client.getCaNames();
  if (isEmpty(caNames)) {
    throw new CmdFailure("no CA is configured");
  }

  if (caName != null && !caNames.contains(caName)) {
    throw new IllegalCmdParamException("CA " + caName
        + " is not within the configured CAs " + caNames);
  }

  if (caName == null) {
    if (caNames.size() == 1) {
      caName = caNames.iterator().next();
    } else {
      throw new IllegalCmdParamException("no CA is specified, one of " + caNames
          + " is required");
    }
  }

  X509CRLHolder crl = null;
  try {
    crl = retrieveCrl();
  } catch (PkiErrorException ex) {
    throw new CmdFailure("received no CRL from server: " + ex.getMessage());
  }

  if (crl == null) {
    throw new CmdFailure("received no CRL from server");
  }

  saveVerbose("saved CRL to file", outFile, encodeCrl(crl.getEncoded(), outform));
  return null;
}
 

private X509CRLHolder generateCrl(boolean deltaCrl, Date thisUpdate, Date nextUpdate,
    String msgId) throws OperationException {
  boolean successful = false;
  AuditEvent event = newPerfAuditEvent(CaAuditConstants.TYPE_gen_crl, msgId);
  try {
    X509CRLHolder crl = generateCrl0(deltaCrl, thisUpdate, nextUpdate, event, msgId);
    successful = true;
    return crl;
  } finally {
    finish(event, successful);
  }
}
 

/**
 * Returns the Certificate as a PEM encoded String.
 *
 * @param holder - X.509 CRL Holder.
 * @return PEM Encoded Certificate String.
 * @throws SCMSecurityException - On failure to create a PEM String.
 */
public static String getPEMEncodedString(X509CRLHolder holder)
    throws SCMSecurityException {
  LOG.trace("Getting PEM version of a CRL.");
  try {
    return getPEMEncodedString(getX509CRL(holder));
  } catch (CRLException exp) {
    throw new SCMSecurityException(exp);
  }
}
 

@Override
public X509CRLHolder getCrl(String caName, BigInteger crlNumber) throws CaMgmtException {
  caName = Args.toNonBlankLower(caName, "caName");
  Args.notNull(crlNumber, "crlNumber");
  X509Ca ca = getX509Ca(caName);
  try {
    X509CRLHolder crl = ca.getCrl(crlNumber);
    if (crl == null) {
      LOG.warn("found no CRL for CA {} and crlNumber {}", caName, crlNumber);
    }
    return crl;
  } catch (OperationException ex) {
    throw new CaMgmtException(ex.getMessage(), ex);
  }
}
 

@Override
public X509CRLHolder getCurrentCrl(String caName) throws CaMgmtException {
  caName = Args.toNonBlankLower(caName, "caName");
  X509Ca ca = getX509Ca(caName);
  try {
    X509CRLHolder crl = ca.getCurrentCrl();
    if (crl == null) {
      LOG.warn("found no CRL for CA {}", caName);
    }
    return crl;
  } catch (OperationException ex) {
    throw new CaMgmtException(ex.getMessage(), ex);
  }
}
 

public X509CRLHolder generateCrlOnDemand(CmpRequestorInfo requestor, RequestType reqType,
    String msgId) throws OperationException {
  Args.notNull(requestor, "requestor");
  try {
    checkPermission(requestor, PermissionConstants.GEN_CRL);
  } catch (InsuffientPermissionException ex) {
    throw new OperationException(ErrorCode.NOT_PERMITTED, ex.getMessage());
  }

  return getCa().generateCrlOnDemand(msgId);
}
 

@Override
public X509CRLHolder getCrl(String caName, BigInteger crlNumber) throws CaMgmtException {
  MgmtRequest.GetCrl req = new MgmtRequest.GetCrl();
  req.setCaName(caName);
  req.setCrlNumber(crlNumber);
  byte[] respBytes = transmit(MgmtAction.getCrl, req);
  return parseCrl(respBytes);
}
 

private X509CRLHolder parseCrl(byte[] respBytes) throws CaMgmtException {
  MgmtResponse.ByteArray resp = parse(respBytes, MgmtResponse.ByteArray.class);

  try {
    return X509Util.parseCrl(resp.getResult());
  } catch (CRLException ex) {
    throw new CaMgmtException("could not parse X.509 CRL", ex);
  }
}
 

@Override
public X509CRLHolder generateCrl(String caName, ReqRespDebug debug)
    throws CmpClientException, PkiErrorException {
  caName = Args.toNonBlankLower(caName, "caName");

  initIfNotInitialized();

  CaConf ca = casMap.get(caName);
  if (ca == null) {
    throw new IllegalArgumentException("unknown CA " + caName);
  }

  return ca.getAgent().generateCrl(debug);
}
 

public X509CRLHolder generateCrl(ReqRespDebug debug)
    throws CmpClientException, PkiErrorException {
  int action = XiSecurityConstants.CMP_ACTION_GEN_CRL;
  PKIMessage request = buildMessageWithXipkiAction(action, null);
  VerifiedPkiMessage response = signAndSend(request, debug);
  return evaluateCrlResponse(response, action);
}
 

public X509CRLHolder downloadCrl(BigInteger crlNumber, ReqRespDebug debug)
    throws CmpClientException, PkiErrorException {
  Integer action = null;
  PKIMessage request;
  if (crlNumber == null) {
    ASN1ObjectIdentifier type = CMPObjectIdentifiers.it_currentCRL;
    request = buildMessageWithGeneralMsgContent(type, null);
  } else {
    action = XiSecurityConstants.CMP_ACTION_GET_CRL_WITH_SN;
    request = buildMessageWithXipkiAction(action, new ASN1Integer(crlNumber));
  }

  VerifiedPkiMessage response = signAndSend(request, debug);
  return evaluateCrlResponse(response, action);
}
 

public X509CRLHolder scepGetCrl(PrivateKey identityKey, X509Cert identityCert,
    X500Name issuer, BigInteger serialNumber) throws ScepClientException {
  Args.notNull(identityKey, "identityKey");
  Args.notNull(identityCert, "identityCert");
  Args.notNull(issuer, "issuer");
  Args.notNull(serialNumber, "serialNumber");

  initIfNotInited();

  PkiMessage pkiMessage = new PkiMessage(TransactionId.randomTransactionId(), MessageType.GetCRL);
  IssuerAndSerialNumber isn = new IssuerAndSerialNumber(issuer, serialNumber);
  pkiMessage.setMessageData(isn);
  ContentInfo request = encryptThenSign(pkiMessage, identityKey, identityCert);
  ScepHttpResponse httpResp = httpSend(Operation.PKIOperation, request);
  CMSSignedData cmsSignedData = parsePkiMessage(httpResp.getContentBytes());
  PkiMessage response = decode(cmsSignedData, identityKey, identityCert);
  if (response.getPkiStatus() != PkiStatus.SUCCESS) {
    throw new ScepClientException("server returned " + response.getPkiStatus());
  }

  ContentInfo messageData = ContentInfo.getInstance(response.getMessageData());

  try {
    return ScepUtil.getCrlFromPkiMessage(SignedData.getInstance(messageData.getContent()));
  } catch (CRLException ex) {
    throw new ScepClientException(ex.getMessage(), ex);
  }
}
 

@Test
public void testGetX509CRL() throws IOException,
    OperatorCreationException, CertificateException, CRLException {

  X500Name issuer = x509CertificateHolder.getIssuer();
  Date now = new Date();
  X509v2CRLBuilder builder = new X509v2CRLBuilder(issuer, now);
  builder.addCRLEntry(x509CertificateHolder.getSerialNumber(), now,
                      CRLReason.cACompromise);

  JcaContentSignerBuilder contentSignerBuilder =
      new JcaContentSignerBuilder(securityConfig.getSignatureAlgo());

  contentSignerBuilder.setProvider(securityConfig.getProvider());
  PrivateKey privateKey = keyPair.getPrivate();
  X509CRLHolder cRLHolder =
      builder.build(contentSignerBuilder.build(privateKey));

  CRLCodec crlCodec = new CRLCodec(securityConfig);
  crlCodec.writeCRL(cRLHolder, this.securityConfig.getCrlName(), true);

  X509CRLEntryHolder entryHolder =
      cRLHolder.getRevokedCertificate(BigInteger.ONE);
  assertNotNull(entryHolder);

  String pemEncodedString = crlCodec.getPEMEncodedString(cRLHolder);
  assertNotNull(pemEncodedString);

  // Verify header and footer of PEM encoded String
  String header = "-----BEGIN X509 CRL-----";
  String footer = "-----END X509 CRL-----";
  assertTrue(pemEncodedString.contains(header));
  assertTrue(pemEncodedString.contains(footer));
}
 

/**
 * @return the a copy of x509crl as a X509CRLHolder
 */
private X509CRLHolder getX509CrlHolder(CRLToken crlToken) {
	try (InputStream is = crlToken.getCRLStream()) {
		return new X509CRLHolder(is);
	} catch (IOException e) {
		throw new DSSException("Unable to convert X509CRL to X509CRLHolder", e);
	}
}
 

private void collectFromSignedData() {
	final Store<X509CRLHolder> crLs = cmsSignedData.getCRLs();
	final Collection<X509CRLHolder> collection = crLs.getMatches(null);
	for (final X509CRLHolder x509CRLHolder : collection) {
		addX509CRLHolder(x509CRLHolder, RevocationOrigin.CMS_SIGNED_DATA);
	}
}
 

private void collectRevocationValues(AttributeTable attributes, ASN1ObjectIdentifier revocationValuesAttribute, RevocationOrigin origin) {
	final ASN1Encodable attValue = DSSASN1Utils.getAsn1Encodable(attributes, revocationValuesAttribute);
	RevocationValues revValues = DSSASN1Utils.getRevocationValues(attValue);
	if (revValues != null) {
		for (final CertificateList revValue : revValues.getCrlVals()) {
			addX509CRLHolder(new X509CRLHolder(revValue), origin);
		}
	}
}
 

/**
 * Computes and store {@code CRLBinary} from {@code crlHolder}
 * 
 * @param crlHolder {@link X509CRLHolder} to compute values from
 * @param origin    {@link RevocationOrigin} indicating the list where to save
 *                  the object
 */
protected void addX509CRLHolder(X509CRLHolder crlHolder, RevocationOrigin origin) {
	try {
		addBinary(CRLUtils.buildCRLBinary(crlHolder.getEncoded()), origin);
	} catch (IOException e) {
		throw new DSSException(e);
	}
}
 

public static X509CRLHolder parseCrl(byte[] encodedCrl)
    throws CRLException {
  Args.notNull(encodedCrl, "encodedCrl");

  byte[] derBytes = toDerEncoded(encodedCrl);
  try {
    return new X509CRLHolder(derBytes);
  } catch (IOException ex) {
    throw new CRLException("the given one is not a valid X.509 CRL");
  }
}
 

public static X509CRLHolder getCrlFromPkiMessage(SignedData signedData) throws CRLException {
  Args.notNull(signedData, "signedData");
  ASN1Set set = signedData.getCRLs();
  if (set == null || set.size() == 0) {
    return null;
  }

  try {
    CertificateList cl = CertificateList.getInstance(set.getObjectAt(0));
    return new X509CRLHolder(cl);
  } catch (IllegalArgumentException ex) {
    throw new CRLException(ex);
  }
}