Java Code Examples for java.security.cert.X509CRL#getIssuerX500Principal()

The following examples show how to use java.security.cert.X509CRL#getIssuerX500Principal() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: CRLUtilsX509CRLImpl.java    From dss with GNU Lesser General Public License v2.1 5 votes vote down vote up
/**
 * This method verifies: the signature of the CRL, the key usage of its signing certificate and the coherence
 * between the subject names of the CRL signing
 * certificate and the issuer name of the certificate for which the verification of the revocation data is carried
 * out. A dedicated object based on
 * {@code CRLValidity} is created and accordingly updated.
 *
 * @param crlBinary
 *            {@code CRLBinary} of the CRL to be created (cannot be null)
 * @param issuerToken
 *            {@code CertificateToken} used to sign the {@code X509CRL} (cannot be null)
 * @return {@code CRLValidity}
 */
@Override
public CRLValidity buildCRLValidity(final CRLBinary crlBinary, final CertificateToken issuerToken) throws IOException {
	
	final X509CRLValidity crlValidity= new X509CRLValidity(crlBinary);
	
	try (InputStream bais = crlValidity.toCRLInputStream()) {
		
		X509CRL x509CRL = loadCRL(bais);
		crlValidity.setX509CRL(x509CRL);

		final String sigAlgOID = x509CRL.getSigAlgOID();
		final byte[] sigAlgParams = x509CRL.getSigAlgParams();
		crlValidity.setSignatureAlgorithm(SignatureAlgorithm.forOidAndParams(sigAlgOID, sigAlgParams));
		crlValidity.setThisUpdate(x509CRL.getThisUpdate());
		crlValidity.setNextUpdate(x509CRL.getNextUpdate());

		final X500Principal x509CRLIssuerX500Principal = x509CRL.getIssuerX500Principal();
		final X500Principal issuerTokenSubjectX500Principal = issuerToken.getSubject().getPrincipal();
		if (x509CRLIssuerX500Principal.equals(issuerTokenSubjectX500Principal)) {
			crlValidity.setIssuerX509PrincipalMatches(true);
		}

		crlValidity.setCriticalExtensionsOid(x509CRL.getCriticalExtensionOIDs());
		extractIssuingDistributionPointBinary(crlValidity, x509CRL.getExtensionValue(Extension.issuingDistributionPoint.getId()));
		extractExpiredCertsOnCRL(crlValidity, x509CRL.getExtensionValue(Extension.expiredCertsOnCRL.getId()));

		checkSignatureValue(x509CRL, issuerToken, crlValidity);
		if (crlValidity.isSignatureIntact()) {
			crlValidity.setCrlSignKeyUsage(issuerToken.checkKeyUsage(KeyUsageBit.CRL_SIGN));
		}
		
	}
	
	return crlValidity;
	
}
 
Example 2
Source File: CRLUtils.java    From keycloak with Apache License 2.0 5 votes vote down vote up
/**
 * Check the signature on CRL and check if 1st certificate from the chain ((The actual certificate from the client)) is valid and not available on CRL.
 *
 * @param certs The 1st certificate is the actual certificate of the user. The other certificates represents the certificate chain
 * @param crl Given CRL
 * @throws GeneralSecurityException if some error in validation happens. Typically certificate not valid, or CRL signature not valid
 */
public static void check(X509Certificate[] certs, X509CRL crl, KeycloakSession session) throws GeneralSecurityException {
    if (certs.length < 2) {
        throw new GeneralSecurityException("Not possible to verify signature on CRL. X509 certificate doesn't have CA chain available on it");
    }

    X500Principal crlIssuerPrincipal = crl.getIssuerX500Principal();
    X509Certificate crlSignatureCertificate = null;

    // Try to find the certificate in the CA chain, which was used to sign the CRL
    for (int i=1 ; i<certs.length ; i++) {
        X509Certificate currentCACert = certs[i];
        if (crlIssuerPrincipal.equals(currentCACert.getSubjectX500Principal())) {
            crlSignatureCertificate = currentCACert;

            log.tracef("Found certificate used to sign CRL in the CA chain of the certificate. CRL issuer: %s", crlIssuerPrincipal);
            break;
        }
    }

    // Try to find the CRL issuer certificate in the truststore
    if (crlSignatureCertificate == null) {
        log.tracef("Not found CRL issuer '%s' in the CA chain of the certificate. Fallback to lookup CRL issuer in the truststore", crlIssuerPrincipal);
        crlSignatureCertificate = findCRLSignatureCertificateInTruststore(session, certs, crlIssuerPrincipal);
    }

    // Verify signature on CRL
    // TODO: It will be nice to cache CRLs and also verify their signatures just once at the time when CRL is loaded, rather than in every request
    crl.verify(crlSignatureCertificate.getPublicKey());

    // Finally check if
    if (crl.isRevoked(certs[0])) {
        String message = String.format("Certificate has been revoked, certificate's subject: %s", certs[0].getSubjectDN().getName());
        log.debug(message);
        throw new GeneralSecurityException(message);
    }
}
 
Example 3
Source File: ResourceCRLRevocationChecker.java    From cas4.0.x-server-wechat with Apache License 2.0 4 votes vote down vote up
/**
 * Adds the given CRL to the collection of CRLs held by this class.
 *
 * @param crl The crl to add
 */
protected void addCrl(final X509CRL crl) {
    final X500Principal issuer = crl.getIssuerX500Principal();
    logger.debug("Adding CRL for issuer {}", issuer);
    this.crlIssuerMap.put(issuer, crl);
}
 
Example 4
Source File: CertPathValidatorUtilities.java    From RipplePower with Apache License 2.0 4 votes vote down vote up
protected static X500Principal getIssuerPrincipal(X509CRL crl)
{
    return crl.getIssuerX500Principal();
}
 
Example 5
Source File: CertPathValidatorUtilities.java    From ripple-lib-java with ISC License 4 votes vote down vote up
protected static X500Principal getIssuerPrincipal(X509CRL crl)
{
    return crl.getIssuerX500Principal();
}