java.security.cert.X509CRL Java Examples

The following examples show how to use java.security.cert.X509CRL. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: CertificateValidator.java    From keycloak with Apache License 2.0 7 votes vote down vote up
private Collection<X509CRL> loadFromURI(CertificateFactory cf, URI remoteURI) throws GeneralSecurityException {
    try {
        logger.debugf("Loading CRL from %s", remoteURI.toString());

        URLConnection conn = remoteURI.toURL().openConnection();
        conn.setDoInput(true);
        conn.setUseCaches(false);
        X509CRL crl = loadFromStream(cf, conn.getInputStream());
        return Collections.singleton(crl);
    }
    catch(IOException ex) {
        logger.errorf(ex.getMessage());
    }
    return Collections.emptyList();

}
 
Example #2
Source File: CRLCertificateVerifier.java    From oxAuth with MIT License 6 votes vote down vote up
public CRLCertificateVerifier(final int maxCrlSize) {
	SecurityProviderUtility.installBCProvider(true);

	this.maxCrlSize = maxCrlSize;
	
	CacheLoader<String, X509CRL> checkedLoader = new CacheLoader<String, X509CRL>() {
		public X509CRL load(String crlURL) throws CertificateException, CRLException, NoSuchProviderException, NoSuchParserException, StreamParsingException, MalformedURLException, IOException, ExecutionException {
			X509CRL result = requestCRL(crlURL);
			Preconditions.checkNotNull(result);

			return result;
		}
	};

	this.crlCache = CacheBuilder.newBuilder().maximumSize(10).expireAfterWrite(60, TimeUnit.MINUTES).build(checkedLoader);
}
 
Example #3
Source File: X509CRLImpl.java    From jdk8u_jdk with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Extract the issuer X500Principal from an X509CRL. Parses the encoded
 * form of the CRL to preserve the principal's ASN.1 encoding.
 *
 * Called by java.security.cert.X509CRL.getIssuerX500Principal().
 */
public static X500Principal getIssuerX500Principal(X509CRL crl) {
    try {
        byte[] encoded = crl.getEncoded();
        DerInputStream derIn = new DerInputStream(encoded);
        DerValue tbsCert = derIn.getSequence(3)[0];
        DerInputStream tbsIn = tbsCert.data;

        DerValue tmp;
        // skip version number if present
        byte nextByte = (byte)tbsIn.peekByte();
        if (nextByte == DerValue.tag_Integer) {
            tmp = tbsIn.getDerValue();
        }

        tmp = tbsIn.getDerValue();  // skip signature
        tmp = tbsIn.getDerValue();  // issuer
        byte[] principalBytes = tmp.toByteArray();
        return new X500Principal(principalBytes);
    } catch (Exception e) {
        throw new RuntimeException("Could not parse issuer", e);
    }
}
 
Example #4
Source File: KeyInfoHelper.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Get a list of the Java {@link java.security.cert.X509CRL}s within the given {@link X509Data}.
 * 
 * @param x509Data {@link X509Data} to extract the CRLs from
 * 
 * @return a list of Java {@link java.security.cert.X509CRL}s
 * 
 * @throws CRLException thrown if there is a problem converting the 
 *          CRL data into {@link java.security.cert.X509CRL}s
 */
public static List<X509CRL> getCRLs(X509Data x509Data) throws CRLException {
    List<X509CRL> crlList = new LinkedList<X509CRL>();

    if (x509Data == null) {
        return crlList;
    }

    for (org.opensaml.xml.signature.X509CRL xmlCRL : x509Data.getX509CRLs()) {
        if (xmlCRL != null && xmlCRL.getValue() != null) {
            X509CRL newCRL = getCRL(xmlCRL);
            crlList.add(newCRL);
        }
    }

    return crlList;
}
 
Example #5
Source File: X509CRLImpl.java    From openjdk-jdk8u with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Extract the issuer X500Principal from an X509CRL. Parses the encoded
 * form of the CRL to preserve the principal's ASN.1 encoding.
 *
 * Called by java.security.cert.X509CRL.getIssuerX500Principal().
 */
public static X500Principal getIssuerX500Principal(X509CRL crl) {
    try {
        byte[] encoded = crl.getEncoded();
        DerInputStream derIn = new DerInputStream(encoded);
        DerValue tbsCert = derIn.getSequence(3)[0];
        DerInputStream tbsIn = tbsCert.data;

        DerValue tmp;
        // skip version number if present
        byte nextByte = (byte)tbsIn.peekByte();
        if (nextByte == DerValue.tag_Integer) {
            tmp = tbsIn.getDerValue();
        }

        tmp = tbsIn.getDerValue();  // skip signature
        tmp = tbsIn.getDerValue();  // issuer
        byte[] principalBytes = tmp.toByteArray();
        return new X500Principal(principalBytes);
    } catch (Exception e) {
        throw new RuntimeException("Could not parse issuer", e);
    }
}
 
Example #6
Source File: CertificateValidator.java    From keycloak with Apache License 2.0 6 votes vote down vote up
private Collection<X509CRL> loadCRLFromFile(CertificateFactory cf, String relativePath) throws GeneralSecurityException {
    try {
        String configDir = System.getProperty("jboss.server.config.dir");
        if (configDir != null) {
            File f = new File(configDir + File.separator + relativePath);
            if (f.isFile()) {
                logger.debugf("Loading CRL from %s", f.getAbsolutePath());

                if (!f.canRead()) {
                    throw new IOException(String.format("Unable to read CRL from \"%s\"", f.getAbsolutePath()));
                }
                X509CRL crl = loadFromStream(cf, new FileInputStream(f.getAbsolutePath()));
                return Collections.singleton(crl);
            }
        }
    }
    catch(IOException ex) {
        logger.errorf(ex.getMessage());
    }
    return Collections.emptyList();
}
 
Example #7
Source File: TlsResource.java    From qpid-broker-j with Apache License 2.0 6 votes vote down vote up
public Path createCrl(final KeyCertificatePair caPair, final X509Certificate... certificate) throws CRLException
{
    final X509CRL crl = TlsResourceBuilder.createCertificateRevocationList(caPair, certificate);

    try
    {
        final Path pkFile = createFile(".crl");
        try (FileOutputStream out = new FileOutputStream(pkFile.toFile()))
        {
            TlsResourceHelper.saveCrlAsPem(out, crl);
        }
        return pkFile;
    }
    catch (IOException e)
    {
        throw new CRLException(e);
    }
}
 
Example #8
Source File: Main.java    From Bytecoder with Apache License 2.0 6 votes vote down vote up
private void printCRL(CRL crl, PrintStream out)
        throws Exception {
    X509CRL xcrl = (X509CRL)crl;
    if (rfc) {
        out.println("-----BEGIN X509 CRL-----");
        out.println(Base64.getMimeEncoder(64, CRLF).encodeToString(xcrl.getEncoded()));
        out.println("-----END X509 CRL-----");
    } else {
        String s;
        if (crl instanceof X509CRLImpl) {
            X509CRLImpl x509crl = (X509CRLImpl) crl;
            s = x509crl.toStringWithAlgName(withWeak("" + x509crl.getSigAlgId()));
        } else {
            s = crl.toString();
        }
        out.println(s);
    }
}
 
Example #9
Source File: FileCertificateRepo.java    From cxf with Apache License 2.0 6 votes vote down vote up
public void saveCRL(X509CRL crl, UseKeyWithType id) {
    String name = crl.getIssuerX500Principal().getName();
    try {
        String path = convertIdForFileSystem(name) + ".cer";

        File certFile = new File(storageDir + "/" + CRLS_PATH, path);
        certFile.getParentFile().mkdirs();
        try (OutputStream os = Files.newOutputStream(certFile.toPath());
            BufferedOutputStream bos = new BufferedOutputStream(os)) {
            bos.write(crl.getEncoded());
            bos.close();
        }
    } catch (Exception e) {
        throw new RuntimeException("Error saving CRL " + name + ": " + e.getMessage(), e);
    }
}
 
Example #10
Source File: Main.java    From openjdk-jdk8u with GNU General Public License v2.0 6 votes vote down vote up
private void printCRL(CRL crl, PrintStream out)
        throws Exception {
    X509CRL xcrl = (X509CRL)crl;
    if (rfc) {
        out.println("-----BEGIN X509 CRL-----");
        out.println(Base64.getMimeEncoder(64, CRLF).encodeToString(xcrl.getEncoded()));
        out.println("-----END X509 CRL-----");
    } else {
        String s;
        if (crl instanceof X509CRLImpl) {
            X509CRLImpl x509crl = (X509CRLImpl) crl;
            s = x509crl.toStringWithAlgName(withWeak("" + x509crl.getSigAlgId()));
        } else {
            s = crl.toString();
        }
        out.println(s);
    }
}
 
Example #11
Source File: GenerationTests.java    From openjdk-jdk9 with GNU General Public License v2.0 6 votes vote down vote up
static void test_create_signature_x509_crt_crl() throws Exception {
    System.out.println("* Generating signature-x509-crt-crl.xml");
    List<Object> xds = new ArrayList<>();
    CertificateFactory cf = CertificateFactory.getInstance("X.509");
    xds.add(signingCert);
    FileInputStream fis = new FileInputStream(CRL);
    X509CRL crl = (X509CRL) cf.generateCRL(fis);
    fis.close();
    xds.add(crl);
    KeyInfo crt_crl = kifac.newKeyInfo(Collections.singletonList
        (kifac.newX509Data(xds)));

    test_create_signature_external(dsaSha1, crt_crl, signingKey,
        new X509KeySelector(ks), false);
    System.out.println();
}
 
Example #12
Source File: TestCRLCodec.java    From hadoop-ozone with Apache License 2.0 6 votes vote down vote up
@Test
public void testGetX509CRLFromCRLHolder() throws IOException,
    OperatorCreationException, CertificateException, CRLException {

  X500Name issuer = x509CertificateHolder.getIssuer();
  Date now = new Date();
  X509v2CRLBuilder builder = new X509v2CRLBuilder(issuer, now);
  builder.addCRLEntry(x509CertificateHolder.getSerialNumber(), now,
                      CRLReason.cACompromise);

  JcaContentSignerBuilder contentSignerBuilder =
      new JcaContentSignerBuilder(securityConfig.getSignatureAlgo());

  contentSignerBuilder.setProvider(securityConfig.getProvider());
  PrivateKey privateKey = keyPair.getPrivate();
  X509CRLHolder cRLHolder =
      builder.build(contentSignerBuilder.build(privateKey));

  CRLCodec crlCodec = new CRLCodec(securityConfig);

  X509CRL crl = crlCodec.getX509CRL(cRLHolder);
  assertNotNull(crl);
}
 
Example #13
Source File: TestCRLCodec.java    From hadoop-ozone with Apache License 2.0 6 votes vote down vote up
@Test
public void testWriteCRLX509() throws IOException,
    OperatorCreationException, CertificateException, CRLException {

  X500Name issuer = x509CertificateHolder.getIssuer();
  Date now = new Date();
  X509v2CRLBuilder builder = new X509v2CRLBuilder(issuer, now);
  builder.addCRLEntry(x509CertificateHolder.getSerialNumber(), now,
                      CRLReason.cACompromise);

  byte[] crlBytes = TMP_CRL_ENTRY.getBytes();
  try (InputStream inStream = new ByteArrayInputStream(crlBytes)) {
    CertificateFactory cf = CertificateFactory.getInstance("X.509");
    X509CRL crl = (X509CRL)cf.generateCRL(inStream);

    CRLCodec crlCodec = new CRLCodec(securityConfig);
    crlCodec.writeCRL(crl);

    // verify file generated or not
    File crlFile =
        Paths.get(crlCodec.getLocation().toString(),
                  this.securityConfig.getCrlName()).toFile();

    assertTrue(crlFile.exists());
  }
}
 
Example #14
Source File: XadesCSpecification.java    From freehealth-connector with GNU Affero General Public License v3.0 6 votes vote down vote up
public void addOptionalAfterSignatureParts(UnsignedPropertiesBuilder unsignedProps, XMLSignature sig, String uuid, Map<String, Object> options) throws TechnicalConnectorException {
   try {
      X509Certificate signing = sig.getKeyInfo().getX509Certificate();
      OCSPData ocsp = (OCSPData)OCSPCheckerBuilder.newBuilder().addOCSPPolicy(OCSPPolicy.RECEIVER_MANDATORY).build().validate(signing).getData();
      unsignedProps.addCertificate(signing);
      Iterator i$ = ocsp.getCrls().iterator();

      while(i$.hasNext()) {
         X509CRL crl = (X509CRL)i$.next();
         unsignedProps.addCrlRef(crl);
      }

      unsignedProps.addOCSPRef(this.convertToOCSPResp(ocsp));
   } catch (Exception var9) {
      throw new TechnicalConnectorException(TechnicalConnectorExceptionValues.ERROR_GENERAL, var9, new Object[]{"Unable to add optional Signature parts"});
   }
}
 
Example #15
Source File: PKCS7.java    From Bytecoder with Apache License 2.0 5 votes vote down vote up
/**
 * Returns the X.509 crls listed in this PKCS7 block.
 * @return a clone of the array of X.509 crls or null if none
 *         are specified for the content type.
 */
public X509CRL[] getCRLs() {
    if (crls != null)
        return crls.clone();
    else
        return null;
}
 
Example #16
Source File: RevocationRefs.java    From signer with GNU Lesser General Public License v3.0 5 votes vote down vote up
/**
 * 
 * 
 * @param extract
 *            CrlValidatedID from X509CRL
 * @return a CrlValidatedID
 * @throws NoSuchAlgorithmException
 * @throws CRLException
 */

private CrlValidatedID makeCrlValidatedID(X509CRL crl)
		throws NoSuchAlgorithmException, CRLException {

	Digest digest = DigestFactory.getInstance().factoryDefault();
	digest.setAlgorithm(DigestAlgorithmEnum.SHA_256);
	
	OtherHashAlgAndValue otherHashAlgAndValue = new OtherHashAlgAndValue(
				new AlgorithmIdentifier(NISTObjectIdentifiers.id_sha256), new DEROctetString(digest.digest(crl.getEncoded())));
	
	OtherHash hash = new OtherHash(otherHashAlgAndValue);

	BigInteger crlnumber;
	CrlIdentifier crlid;
	if (crl.getExtensionValue("2.5.29.20") != null) {
		ASN1Integer varASN1Integer = new ASN1Integer(crl.getExtensionValue("2.5.29.20"));
		crlnumber = varASN1Integer.getPositiveValue();

		crlid = new CrlIdentifier(new X500Name(crl.getIssuerX500Principal()
				.getName()), new DERUTCTime(crl.getThisUpdate()), crlnumber);
	} else {
		crlid = new CrlIdentifier(new X500Name(crl.getIssuerX500Principal()
				.getName()), new DERUTCTime(crl.getThisUpdate()));
	}

	CrlValidatedID crlvid = new CrlValidatedID(hash, crlid);

	return crlvid;
}
 
Example #17
Source File: CertPathValidatorUtilities.java    From RipplePower with Apache License 2.0 5 votes vote down vote up
private static boolean isDeltaCRL(X509CRL crl)
{
    Set critical = crl.getCriticalExtensionOIDs();

    if (critical == null)
    {
        return false;
    }

    return critical.contains(RFC3280CertPathUtilities.DELTA_CRL_INDICATOR);
}
 
Example #18
Source File: AlgorithmChecker.java    From openjdk-jdk8u with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Check the signature algorithm with the specified public key.
 *
 * @param key the public key to verify the CRL signature
 * @param crl the target CRL
 * @param variant is the Validator variants of the operation. A null value
 *                passed will set it to Validator.GENERIC.
 */
static void check(PublicKey key, X509CRL crl, String variant)
                    throws CertPathValidatorException {

    X509CRLImpl x509CRLImpl = null;
    try {
        x509CRLImpl = X509CRLImpl.toImpl(crl);
    } catch (CRLException ce) {
        throw new CertPathValidatorException(ce);
    }

    AlgorithmId algorithmId = x509CRLImpl.getSigAlgId();
    check(key, algorithmId, variant);
}
 
Example #19
Source File: SparkTrustManager.java    From Spark with Apache License 2.0 5 votes vote down vote up
public Collection<X509CRL> loadCRL(X509Certificate[] chain) throws IOException, InvalidAlgorithmParameterException,
        NoSuchAlgorithmException, CertStoreException, CRLException, CertificateException {

    // for each certificate in chain
    for (X509Certificate cert : chain) {
        if (cert.getExtensionValue(Extension.cRLDistributionPoints.getId()) != null) {
            ASN1Primitive primitive = JcaX509ExtensionUtils
                    .parseExtensionValue(cert.getExtensionValue(Extension.cRLDistributionPoints.getId()));
            // extract distribution point extension
            CRLDistPoint distPoint = CRLDistPoint.getInstance(primitive);
            DistributionPoint[] dp = distPoint.getDistributionPoints();
            // each distribution point extension can hold number of distribution points
            for (DistributionPoint d : dp) {
                DistributionPointName dpName = d.getDistributionPoint();
                // Look for URIs in fullName
                if (dpName != null && dpName.getType() == DistributionPointName.FULL_NAME) {
                    GeneralName[] genNames = GeneralNames.getInstance(dpName.getName()).getNames();
                    // Look for an URI
                    for (GeneralName genName : genNames) {
                        // extract url
                        URL url = new URL(genName.getName().toString());
                        try {
                            // download from Internet to the collection
                            crlCollection.add(downloadCRL(url));
                        } catch (CertificateException | CRLException e) {
                            throw new CRLException("Couldn't download CRL");
                        }
                    }
                }
            }
        } else {
            Log.warning("Certificate " + cert.getSubjectX500Principal().getName().toString() + " have no CRLs");
        }
        // parameters for cert store is collection type, using collection with crl create parameters
        CollectionCertStoreParameters params = new CollectionCertStoreParameters(crlCollection);
        // this parameters are next used for creation of certificate store with crls
        crlStore = CertStore.getInstance("Collection", params);
    }
    return crlCollection;
}
 
Example #20
Source File: CertUtils.java    From jdk8u_jdk with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Read a bunch of CRLs from files and create a CertStore from them.
 *
 * @param relPath relative path containing CRLs (must end in file.separator)
 * @param fileNames an array of <code>String</code>s that are file names
 * @return the <code>CertStore</code> created
 * @throws Exception on error
 */
public static CertStore createCRLStore(String relPath, String [] fileNames)
    throws Exception {
    Set<X509CRL> crls = new HashSet<X509CRL>();
    for (int i = 0; i < fileNames.length; i++) {
        crls.add(getCRLFromFile(relPath + fileNames[i]));
    }
    return CertStore.getInstance("Collection",
        new CollectionCertStoreParameters(crls));
}
 
Example #21
Source File: PKCS7.java    From openjdk-jdk8u-backup with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Returns the X.509 crls listed in this PKCS7 block.
 * @return a clone of the array of X.509 crls or null if none
 *         are specified for the content type.
 */
public X509CRL[] getCRLs() {
    if (crls != null)
        return crls.clone();
    else
        return null;
}
 
Example #22
Source File: AlgorithmChecker.java    From jdk8u_jdk with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Check the signature algorithm with the specified public key.
 *
 * @param key the public key to verify the CRL signature
 * @param crl the target CRL
 * @param variant is the Validator variants of the operation. A null value
 *                passed will set it to Validator.GENERIC.
 */
static void check(PublicKey key, X509CRL crl, String variant)
                    throws CertPathValidatorException {

    X509CRLImpl x509CRLImpl = null;
    try {
        x509CRLImpl = X509CRLImpl.toImpl(crl);
    } catch (CRLException ce) {
        throw new CertPathValidatorException(ce);
    }

    AlgorithmId algorithmId = x509CRLImpl.getSigAlgId();
    check(key, algorithmId, variant);
}
 
Example #23
Source File: CertUtils.java    From openjdk-8 with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Read a bunch of CRLs from files and create a CertStore from them.
 *
 * @param relPath relative path containing CRLs (must end in file.separator)
 * @param fileNames an array of <code>String</code>s that are file names
 * @return the <code>CertStore</code> created
 * @throws Exception on error
 */
public static CertStore createCRLStore(String relPath, String [] fileNames)
    throws Exception {
    Set<X509CRL> crls = new HashSet<X509CRL>();
    for (int i = 0; i < fileNames.length; i++) {
        crls.add(getCRLFromFile(relPath + fileNames[i]));
    }
    return CertStore.getInstance("Collection",
        new CollectionCertStoreParameters(crls));
}
 
Example #24
Source File: RFC3280CertPathUtilities.java    From ripple-lib-java with ISC License 5 votes vote down vote up
protected static X509CRL processCRLH(
    Set deltacrls,
    PublicKey key)
    throws AnnotatedException
{
    Exception lastException = null;

    for (Iterator it = deltacrls.iterator(); it.hasNext();)
    {
        X509CRL crl = (X509CRL)it.next();
        try
        {
            crl.verify(key);
            return crl;
        }
        catch (Exception e)
        {
            lastException = e;
        }
    }

    if (lastException != null)
    {
        throw new AnnotatedException("Cannot verify delta CRL.", lastException);
    }
    return null;
}
 
Example #25
Source File: X509V2CRLGenerator.java    From ripple-lib-java with ISC License 5 votes vote down vote up
/**
 * generate an X509 certificate, based on the current issuer and subject
 * using the passed in provider for the signing.
 * @deprecated use generate()
 */
public X509CRL generateX509CRL(
    PrivateKey      key,
    String          provider)
    throws NoSuchProviderException, SecurityException, SignatureException, InvalidKeyException
{
    return generateX509CRL(key, provider, null);
}
 
Example #26
Source File: RFC3280CertPathUtilities.java    From ripple-lib-java with ISC License 5 votes vote down vote up
protected static void processCRLJ(
    Date validDate,
    X509CRL completecrl,
    Object cert,
    CertStatus certStatus)
    throws AnnotatedException
{
    if (certStatus.getCertStatus() == CertStatus.UNREVOKED)
    {
        CertPathValidatorUtilities.getCertStatus(validDate, completecrl, cert, certStatus);
    }
}
 
Example #27
Source File: AlgorithmChecker.java    From openjdk-8-source with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Check the signature algorithm with the specified public key.
 *
 * @param key the public key to verify the CRL signature
 * @param crl the target CRL
 */
static void check(PublicKey key, X509CRL crl)
                    throws CertPathValidatorException {

    X509CRLImpl x509CRLImpl = null;
    try {
        x509CRLImpl = X509CRLImpl.toImpl(crl);
    } catch (CRLException ce) {
        throw new CertPathValidatorException(ce);
    }

    AlgorithmId algorithmId = x509CRLImpl.getSigAlgId();
    check(key, algorithmId);
}
 
Example #28
Source File: CRLDistributionPointRevocationChecker.java    From cas4.0.x-server-wechat with Apache License 2.0 5 votes vote down vote up
/**
 * {@inheritDoc}
 * @see AbstractCRLRevocationChecker#getCRL(X509Certificate)
 */
@Override
protected X509CRL getCRL(final X509Certificate cert) {
    final URL[] urls = getDistributionPoints(cert);
    logger.debug(String.format(
            "Distribution points for %s: %s.",
            CertUtils.toString(cert), Arrays.asList(urls)));

    Element item;
    for (URL url : urls) {
        item = this.crlCache.get(url);
        if (item != null) {
            logger.debug("Found CRL in cache for {}", CertUtils.toString(cert));
            return (X509CRL) item.getObjectValue();
        }
    }

    // Try all distribution points and stop at first fetch that succeeds
    X509CRL crl = null;
    for (int i = 0; i < urls.length && crl == null; i++) {
        logger.info("Attempting to fetch CRL at {}", urls[i]);
        try {
            crl = CertUtils.fetchCRL(new UrlResource(urls[i]));
            logger.info("Success. Caching fetched CRL.");
            this.crlCache.put(new Element(urls[i], crl));
        } catch (final Exception e) {
            logger.error("Error fetching CRL at {}", urls[i], e);
        }
    }

    return crl;
}
 
Example #29
Source File: Main.java    From jdk8u_jdk with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Returns CRLs described in a X509Certificate's CRLDistributionPoints
 * Extension. Only those containing a general name of type URI are read.
 */
public static List<CRL> readCRLsFromCert(X509Certificate cert)
        throws Exception {
    List<CRL> crls = new ArrayList<>();
    CRLDistributionPointsExtension ext =
            X509CertImpl.toImpl(cert).getCRLDistributionPointsExtension();
    if (ext == null) return crls;
    List<DistributionPoint> distPoints =
            ext.get(CRLDistributionPointsExtension.POINTS);
    for (DistributionPoint o: distPoints) {
        GeneralNames names = o.getFullName();
        if (names != null) {
            for (GeneralName name: names.names()) {
                if (name.getType() == GeneralNameInterface.NAME_URI) {
                    URIName uriName = (URIName)name.getName();
                    for (CRL crl: loadCRLs(uriName.getName())) {
                        if (crl instanceof X509CRL) {
                            crls.add((X509CRL)crl);
                        }
                    }
                    break;  // Different name should point to same CRL
                }
            }
        }
    }
    return crls;
}
 
Example #30
Source File: BasicPKIXValidationInformation.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Constructor.
 * 
 * @param anchors certs used as trust anchors during validation
 * @param crls CRLs used during validation
 * @param depth max verification path depth
 */
public BasicPKIXValidationInformation(Collection<X509Certificate> anchors, Collection<X509CRL> crls,
        Integer depth) {
    
    trustAnchors = anchors;
    trustedCRLs = crls;
    verificationDepth = depth;
}