java.security.cert.X509CRL Java Examples

private Collection<X509CRL> loadFromURI(CertificateFactory cf, URI remoteURI) throws GeneralSecurityException {
    try {
        logger.debugf("Loading CRL from %s", remoteURI.toString());

        URLConnection conn = remoteURI.toURL().openConnection();
        conn.setDoInput(true);
        conn.setUseCaches(false);
        X509CRL crl = loadFromStream(cf, conn.getInputStream());
        return Collections.singleton(crl);
    }
    catch(IOException ex) {
        logger.errorf(ex.getMessage());
    }
    return Collections.emptyList();

}
 

public CRLCertificateVerifier(final int maxCrlSize) {
	SecurityProviderUtility.installBCProvider(true);

	this.maxCrlSize = maxCrlSize;
	
	CacheLoader<String, X509CRL> checkedLoader = new CacheLoader<String, X509CRL>() {
		public X509CRL load(String crlURL) throws CertificateException, CRLException, NoSuchProviderException, NoSuchParserException, StreamParsingException, MalformedURLException, IOException, ExecutionException {
			X509CRL result = requestCRL(crlURL);
			Preconditions.checkNotNull(result);

			return result;
		}
	};

	this.crlCache = CacheBuilder.newBuilder().maximumSize(10).expireAfterWrite(60, TimeUnit.MINUTES).build(checkedLoader);
}
 

/**
 * Extract the issuer X500Principal from an X509CRL. Parses the encoded
 * form of the CRL to preserve the principal's ASN.1 encoding.
 *
 * Called by java.security.cert.X509CRL.getIssuerX500Principal().
 */
public static X500Principal getIssuerX500Principal(X509CRL crl) {
    try {
        byte[] encoded = crl.getEncoded();
        DerInputStream derIn = new DerInputStream(encoded);
        DerValue tbsCert = derIn.getSequence(3)[0];
        DerInputStream tbsIn = tbsCert.data;

        DerValue tmp;
        // skip version number if present
        byte nextByte = (byte)tbsIn.peekByte();
        if (nextByte == DerValue.tag_Integer) {
            tmp = tbsIn.getDerValue();
        }

        tmp = tbsIn.getDerValue();  // skip signature
        tmp = tbsIn.getDerValue();  // issuer
        byte[] principalBytes = tmp.toByteArray();
        return new X500Principal(principalBytes);
    } catch (Exception e) {
        throw new RuntimeException("Could not parse issuer", e);
    }
}
 

/**
 * Get a list of the Java {@link java.security.cert.X509CRL}s within the given {@link X509Data}.
 * 
 * @param x509Data {@link X509Data} to extract the CRLs from
 * 
 * @return a list of Java {@link java.security.cert.X509CRL}s
 * 
 * @throws CRLException thrown if there is a problem converting the 
 *          CRL data into {@link java.security.cert.X509CRL}s
 */
public static List<X509CRL> getCRLs(X509Data x509Data) throws CRLException {
    List<X509CRL> crlList = new LinkedList<X509CRL>();

    if (x509Data == null) {
        return crlList;
    }

    for (org.opensaml.xml.signature.X509CRL xmlCRL : x509Data.getX509CRLs()) {
        if (xmlCRL != null && xmlCRL.getValue() != null) {
            X509CRL newCRL = getCRL(xmlCRL);
            crlList.add(newCRL);
        }
    }

    return crlList;
}
 

/**
 * Extract the issuer X500Principal from an X509CRL. Parses the encoded
 * form of the CRL to preserve the principal's ASN.1 encoding.
 *
 * Called by java.security.cert.X509CRL.getIssuerX500Principal().
 */
public static X500Principal getIssuerX500Principal(X509CRL crl) {
    try {
        byte[] encoded = crl.getEncoded();
        DerInputStream derIn = new DerInputStream(encoded);
        DerValue tbsCert = derIn.getSequence(3)[0];
        DerInputStream tbsIn = tbsCert.data;

        DerValue tmp;
        // skip version number if present
        byte nextByte = (byte)tbsIn.peekByte();
        if (nextByte == DerValue.tag_Integer) {
            tmp = tbsIn.getDerValue();
        }

        tmp = tbsIn.getDerValue();  // skip signature
        tmp = tbsIn.getDerValue();  // issuer
        byte[] principalBytes = tmp.toByteArray();
        return new X500Principal(principalBytes);
    } catch (Exception e) {
        throw new RuntimeException("Could not parse issuer", e);
    }
}
 

private Collection<X509CRL> loadCRLFromFile(CertificateFactory cf, String relativePath) throws GeneralSecurityException {
    try {
        String configDir = System.getProperty("jboss.server.config.dir");
        if (configDir != null) {
            File f = new File(configDir + File.separator + relativePath);
            if (f.isFile()) {
                logger.debugf("Loading CRL from %s", f.getAbsolutePath());

                if (!f.canRead()) {
                    throw new IOException(String.format("Unable to read CRL from \"%s\"", f.getAbsolutePath()));
                }
                X509CRL crl = loadFromStream(cf, new FileInputStream(f.getAbsolutePath()));
                return Collections.singleton(crl);
            }
        }
    }
    catch(IOException ex) {
        logger.errorf(ex.getMessage());
    }
    return Collections.emptyList();
}
 

public Path createCrl(final KeyCertificatePair caPair, final X509Certificate... certificate) throws CRLException
{
    final X509CRL crl = TlsResourceBuilder.createCertificateRevocationList(caPair, certificate);

    try
    {
        final Path pkFile = createFile(".crl");
        try (FileOutputStream out = new FileOutputStream(pkFile.toFile()))
        {
            TlsResourceHelper.saveCrlAsPem(out, crl);
        }
        return pkFile;
    }
    catch (IOException e)
    {
        throw new CRLException(e);
    }
}
 

private void printCRL(CRL crl, PrintStream out)
        throws Exception {
    X509CRL xcrl = (X509CRL)crl;
    if (rfc) {
        out.println("-----BEGIN X509 CRL-----");
        out.println(Base64.getMimeEncoder(64, CRLF).encodeToString(xcrl.getEncoded()));
        out.println("-----END X509 CRL-----");
    } else {
        String s;
        if (crl instanceof X509CRLImpl) {
            X509CRLImpl x509crl = (X509CRLImpl) crl;
            s = x509crl.toStringWithAlgName(withWeak("" + x509crl.getSigAlgId()));
        } else {
            s = crl.toString();
        }
        out.println(s);
    }
}
 

public void saveCRL(X509CRL crl, UseKeyWithType id) {
    String name = crl.getIssuerX500Principal().getName();
    try {
        String path = convertIdForFileSystem(name) + ".cer";

        File certFile = new File(storageDir + "/" + CRLS_PATH, path);
        certFile.getParentFile().mkdirs();
        try (OutputStream os = Files.newOutputStream(certFile.toPath());
            BufferedOutputStream bos = new BufferedOutputStream(os)) {
            bos.write(crl.getEncoded());
            bos.close();
        }
    } catch (Exception e) {
        throw new RuntimeException("Error saving CRL " + name + ": " + e.getMessage(), e);
    }
}
 

private void printCRL(CRL crl, PrintStream out)
        throws Exception {
    X509CRL xcrl = (X509CRL)crl;
    if (rfc) {
        out.println("-----BEGIN X509 CRL-----");
        out.println(Base64.getMimeEncoder(64, CRLF).encodeToString(xcrl.getEncoded()));
        out.println("-----END X509 CRL-----");
    } else {
        String s;
        if (crl instanceof X509CRLImpl) {
            X509CRLImpl x509crl = (X509CRLImpl) crl;
            s = x509crl.toStringWithAlgName(withWeak("" + x509crl.getSigAlgId()));
        } else {
            s = crl.toString();
        }
        out.println(s);
    }
}
 

static void test_create_signature_x509_crt_crl() throws Exception {
    System.out.println("* Generating signature-x509-crt-crl.xml");
    List<Object> xds = new ArrayList<>();
    CertificateFactory cf = CertificateFactory.getInstance("X.509");
    xds.add(signingCert);
    FileInputStream fis = new FileInputStream(CRL);
    X509CRL crl = (X509CRL) cf.generateCRL(fis);
    fis.close();
    xds.add(crl);
    KeyInfo crt_crl = kifac.newKeyInfo(Collections.singletonList
        (kifac.newX509Data(xds)));

    test_create_signature_external(dsaSha1, crt_crl, signingKey,
        new X509KeySelector(ks), false);
    System.out.println();
}
 

@Test
public void testGetX509CRLFromCRLHolder() throws IOException,
    OperatorCreationException, CertificateException, CRLException {

  X500Name issuer = x509CertificateHolder.getIssuer();
  Date now = new Date();
  X509v2CRLBuilder builder = new X509v2CRLBuilder(issuer, now);
  builder.addCRLEntry(x509CertificateHolder.getSerialNumber(), now,
                      CRLReason.cACompromise);

  JcaContentSignerBuilder contentSignerBuilder =
      new JcaContentSignerBuilder(securityConfig.getSignatureAlgo());

  contentSignerBuilder.setProvider(securityConfig.getProvider());
  PrivateKey privateKey = keyPair.getPrivate();
  X509CRLHolder cRLHolder =
      builder.build(contentSignerBuilder.build(privateKey));

  CRLCodec crlCodec = new CRLCodec(securityConfig);

  X509CRL crl = crlCodec.getX509CRL(cRLHolder);
  assertNotNull(crl);
}
 

@Test
public void testWriteCRLX509() throws IOException,
    OperatorCreationException, CertificateException, CRLException {

  X500Name issuer = x509CertificateHolder.getIssuer();
  Date now = new Date();
  X509v2CRLBuilder builder = new X509v2CRLBuilder(issuer, now);
  builder.addCRLEntry(x509CertificateHolder.getSerialNumber(), now,
                      CRLReason.cACompromise);

  byte[] crlBytes = TMP_CRL_ENTRY.getBytes();
  try (InputStream inStream = new ByteArrayInputStream(crlBytes)) {
    CertificateFactory cf = CertificateFactory.getInstance("X.509");
    X509CRL crl = (X509CRL)cf.generateCRL(inStream);

    CRLCodec crlCodec = new CRLCodec(securityConfig);
    crlCodec.writeCRL(crl);

    // verify file generated or not
    File crlFile =
        Paths.get(crlCodec.getLocation().toString(),
                  this.securityConfig.getCrlName()).toFile();

    assertTrue(crlFile.exists());
  }
}
 

public void addOptionalAfterSignatureParts(UnsignedPropertiesBuilder unsignedProps, XMLSignature sig, String uuid, Map<String, Object> options) throws TechnicalConnectorException {
   try {
      X509Certificate signing = sig.getKeyInfo().getX509Certificate();
      OCSPData ocsp = (OCSPData)OCSPCheckerBuilder.newBuilder().addOCSPPolicy(OCSPPolicy.RECEIVER_MANDATORY).build().validate(signing).getData();
      unsignedProps.addCertificate(signing);
      Iterator i$ = ocsp.getCrls().iterator();

      while(i$.hasNext()) {
         X509CRL crl = (X509CRL)i$.next();
         unsignedProps.addCrlRef(crl);
      }

      unsignedProps.addOCSPRef(this.convertToOCSPResp(ocsp));
   } catch (Exception var9) {
      throw new TechnicalConnectorException(TechnicalConnectorExceptionValues.ERROR_GENERAL, var9, new Object[]{"Unable to add optional Signature parts"});
   }
}
 

/**
 * Returns the X.509 crls listed in this PKCS7 block.
 * @return a clone of the array of X.509 crls or null if none
 *         are specified for the content type.
 */
public X509CRL[] getCRLs() {
    if (crls != null)
        return crls.clone();
    else
        return null;
}
 

/**
 * 
 * 
 * @param extract
 *            CrlValidatedID from X509CRL
 * @return a CrlValidatedID
 * @throws NoSuchAlgorithmException
 * @throws CRLException
 */

private CrlValidatedID makeCrlValidatedID(X509CRL crl)
		throws NoSuchAlgorithmException, CRLException {

	Digest digest = DigestFactory.getInstance().factoryDefault();
	digest.setAlgorithm(DigestAlgorithmEnum.SHA_256);
	
	OtherHashAlgAndValue otherHashAlgAndValue = new OtherHashAlgAndValue(
				new AlgorithmIdentifier(NISTObjectIdentifiers.id_sha256), new DEROctetString(digest.digest(crl.getEncoded())));
	
	OtherHash hash = new OtherHash(otherHashAlgAndValue);

	BigInteger crlnumber;
	CrlIdentifier crlid;
	if (crl.getExtensionValue("2.5.29.20") != null) {
		ASN1Integer varASN1Integer = new ASN1Integer(crl.getExtensionValue("2.5.29.20"));
		crlnumber = varASN1Integer.getPositiveValue();

		crlid = new CrlIdentifier(new X500Name(crl.getIssuerX500Principal()
				.getName()), new DERUTCTime(crl.getThisUpdate()), crlnumber);
	} else {
		crlid = new CrlIdentifier(new X500Name(crl.getIssuerX500Principal()
				.getName()), new DERUTCTime(crl.getThisUpdate()));
	}

	CrlValidatedID crlvid = new CrlValidatedID(hash, crlid);

	return crlvid;
}
 

private static boolean isDeltaCRL(X509CRL crl)
{
    Set critical = crl.getCriticalExtensionOIDs();

    if (critical == null)
    {
        return false;
    }

    return critical.contains(RFC3280CertPathUtilities.DELTA_CRL_INDICATOR);
}
 

/**
 * Check the signature algorithm with the specified public key.
 *
 * @param key the public key to verify the CRL signature
 * @param crl the target CRL
 * @param variant is the Validator variants of the operation. A null value
 *                passed will set it to Validator.GENERIC.
 */
static void check(PublicKey key, X509CRL crl, String variant)
                    throws CertPathValidatorException {

    X509CRLImpl x509CRLImpl = null;
    try {
        x509CRLImpl = X509CRLImpl.toImpl(crl);
    } catch (CRLException ce) {
        throw new CertPathValidatorException(ce);
    }

    AlgorithmId algorithmId = x509CRLImpl.getSigAlgId();
    check(key, algorithmId, variant);
}
 

public Collection<X509CRL> loadCRL(X509Certificate[] chain) throws IOException, InvalidAlgorithmParameterException,
        NoSuchAlgorithmException, CertStoreException, CRLException, CertificateException {

    // for each certificate in chain
    for (X509Certificate cert : chain) {
        if (cert.getExtensionValue(Extension.cRLDistributionPoints.getId()) != null) {
            ASN1Primitive primitive = JcaX509ExtensionUtils
                    .parseExtensionValue(cert.getExtensionValue(Extension.cRLDistributionPoints.getId()));
            // extract distribution point extension
            CRLDistPoint distPoint = CRLDistPoint.getInstance(primitive);
            DistributionPoint[] dp = distPoint.getDistributionPoints();
            // each distribution point extension can hold number of distribution points
            for (DistributionPoint d : dp) {
                DistributionPointName dpName = d.getDistributionPoint();
                // Look for URIs in fullName
                if (dpName != null && dpName.getType() == DistributionPointName.FULL_NAME) {
                    GeneralName[] genNames = GeneralNames.getInstance(dpName.getName()).getNames();
                    // Look for an URI
                    for (GeneralName genName : genNames) {
                        // extract url
                        URL url = new URL(genName.getName().toString());
                        try {
                            // download from Internet to the collection
                            crlCollection.add(downloadCRL(url));
                        } catch (CertificateException | CRLException e) {
                            throw new CRLException("Couldn't download CRL");
                        }
                    }
                }
            }
        } else {
            Log.warning("Certificate " + cert.getSubjectX500Principal().getName().toString() + " have no CRLs");
        }
        // parameters for cert store is collection type, using collection with crl create parameters
        CollectionCertStoreParameters params = new CollectionCertStoreParameters(crlCollection);
        // this parameters are next used for creation of certificate store with crls
        crlStore = CertStore.getInstance("Collection", params);
    }
    return crlCollection;
}
 

/**
 * Read a bunch of CRLs from files and create a CertStore from them.
 *
 * @param relPath relative path containing CRLs (must end in file.separator)
 * @param fileNames an array of <code>String</code>s that are file names
 * @return the <code>CertStore</code> created
 * @throws Exception on error
 */
public static CertStore createCRLStore(String relPath, String [] fileNames)
    throws Exception {
    Set<X509CRL> crls = new HashSet<X509CRL>();
    for (int i = 0; i < fileNames.length; i++) {
        crls.add(getCRLFromFile(relPath + fileNames[i]));
    }
    return CertStore.getInstance("Collection",
        new CollectionCertStoreParameters(crls));
}
 

/**
 * Returns the X.509 crls listed in this PKCS7 block.
 * @return a clone of the array of X.509 crls or null if none
 *         are specified for the content type.
 */
public X509CRL[] getCRLs() {
    if (crls != null)
        return crls.clone();
    else
        return null;
}
 

/**
 * Check the signature algorithm with the specified public key.
 *
 * @param key the public key to verify the CRL signature
 * @param crl the target CRL
 * @param variant is the Validator variants of the operation. A null value
 *                passed will set it to Validator.GENERIC.
 */
static void check(PublicKey key, X509CRL crl, String variant)
                    throws CertPathValidatorException {

    X509CRLImpl x509CRLImpl = null;
    try {
        x509CRLImpl = X509CRLImpl.toImpl(crl);
    } catch (CRLException ce) {
        throw new CertPathValidatorException(ce);
    }

    AlgorithmId algorithmId = x509CRLImpl.getSigAlgId();
    check(key, algorithmId, variant);
}
 

/**
 * Read a bunch of CRLs from files and create a CertStore from them.
 *
 * @param relPath relative path containing CRLs (must end in file.separator)
 * @param fileNames an array of <code>String</code>s that are file names
 * @return the <code>CertStore</code> created
 * @throws Exception on error
 */
public static CertStore createCRLStore(String relPath, String [] fileNames)
    throws Exception {
    Set<X509CRL> crls = new HashSet<X509CRL>();
    for (int i = 0; i < fileNames.length; i++) {
        crls.add(getCRLFromFile(relPath + fileNames[i]));
    }
    return CertStore.getInstance("Collection",
        new CollectionCertStoreParameters(crls));
}
 

protected static X509CRL processCRLH(
    Set deltacrls,
    PublicKey key)
    throws AnnotatedException
{
    Exception lastException = null;

    for (Iterator it = deltacrls.iterator(); it.hasNext();)
    {
        X509CRL crl = (X509CRL)it.next();
        try
        {
            crl.verify(key);
            return crl;
        }
        catch (Exception e)
        {
            lastException = e;
        }
    }

    if (lastException != null)
    {
        throw new AnnotatedException("Cannot verify delta CRL.", lastException);
    }
    return null;
}
 

/**
 * generate an X509 certificate, based on the current issuer and subject
 * using the passed in provider for the signing.
 * @deprecated use generate()
 */
public X509CRL generateX509CRL(
    PrivateKey      key,
    String          provider)
    throws NoSuchProviderException, SecurityException, SignatureException, InvalidKeyException
{
    return generateX509CRL(key, provider, null);
}
 

protected static void processCRLJ(
    Date validDate,
    X509CRL completecrl,
    Object cert,
    CertStatus certStatus)
    throws AnnotatedException
{
    if (certStatus.getCertStatus() == CertStatus.UNREVOKED)
    {
        CertPathValidatorUtilities.getCertStatus(validDate, completecrl, cert, certStatus);
    }
}
 

/**
 * Check the signature algorithm with the specified public key.
 *
 * @param key the public key to verify the CRL signature
 * @param crl the target CRL
 */
static void check(PublicKey key, X509CRL crl)
                    throws CertPathValidatorException {

    X509CRLImpl x509CRLImpl = null;
    try {
        x509CRLImpl = X509CRLImpl.toImpl(crl);
    } catch (CRLException ce) {
        throw new CertPathValidatorException(ce);
    }

    AlgorithmId algorithmId = x509CRLImpl.getSigAlgId();
    check(key, algorithmId);
}
 

/**
 * {@inheritDoc}
 * @see AbstractCRLRevocationChecker#getCRL(X509Certificate)
 */
@Override
protected X509CRL getCRL(final X509Certificate cert) {
    final URL[] urls = getDistributionPoints(cert);
    logger.debug(String.format(
            "Distribution points for %s: %s.",
            CertUtils.toString(cert), Arrays.asList(urls)));

    Element item;
    for (URL url : urls) {
        item = this.crlCache.get(url);
        if (item != null) {
            logger.debug("Found CRL in cache for {}", CertUtils.toString(cert));
            return (X509CRL) item.getObjectValue();
        }
    }

    // Try all distribution points and stop at first fetch that succeeds
    X509CRL crl = null;
    for (int i = 0; i < urls.length && crl == null; i++) {
        logger.info("Attempting to fetch CRL at {}", urls[i]);
        try {
            crl = CertUtils.fetchCRL(new UrlResource(urls[i]));
            logger.info("Success. Caching fetched CRL.");
            this.crlCache.put(new Element(urls[i], crl));
        } catch (final Exception e) {
            logger.error("Error fetching CRL at {}", urls[i], e);
        }
    }

    return crl;
}
 

/**
 * Returns CRLs described in a X509Certificate's CRLDistributionPoints
 * Extension. Only those containing a general name of type URI are read.
 */
public static List<CRL> readCRLsFromCert(X509Certificate cert)
        throws Exception {
    List<CRL> crls = new ArrayList<>();
    CRLDistributionPointsExtension ext =
            X509CertImpl.toImpl(cert).getCRLDistributionPointsExtension();
    if (ext == null) return crls;
    List<DistributionPoint> distPoints =
            ext.get(CRLDistributionPointsExtension.POINTS);
    for (DistributionPoint o: distPoints) {
        GeneralNames names = o.getFullName();
        if (names != null) {
            for (GeneralName name: names.names()) {
                if (name.getType() == GeneralNameInterface.NAME_URI) {
                    URIName uriName = (URIName)name.getName();
                    for (CRL crl: loadCRLs(uriName.getName())) {
                        if (crl instanceof X509CRL) {
                            crls.add((X509CRL)crl);
                        }
                    }
                    break;  // Different name should point to same CRL
                }
            }
        }
    }
    return crls;
}
 

/**
 * Constructor.
 * 
 * @param anchors certs used as trust anchors during validation
 * @param crls CRLs used during validation
 * @param depth max verification path depth
 */
public BasicPKIXValidationInformation(Collection<X509Certificate> anchors, Collection<X509CRL> crls,
        Integer depth) {
    
    trustAnchors = anchors;
    trustedCRLs = crls;
    verificationDepth = depth;
}