Java Code Examples for org.bouncycastle.asn1.x509.IssuingDistributionPoint

The following are top voted examples for showing how to use org.bouncycastle.asn1.x509.IssuingDistributionPoint. These examples are extracted from open source projects. You can vote up the examples you like and your votes will be used in our system to generate more good examples.
Example 1
Project: gwt-crypto   File: IssuingDistributionPointUnitTest.java   Source Code and License 6 votes vote down vote up
public void performTest()
    throws Exception
{
    DistributionPointName    name = new DistributionPointName(
                                          new GeneralNames(new GeneralName(new X500Name("cn=test"))));
    ReasonFlags reasonFlags = new ReasonFlags(ReasonFlags.cACompromise);

    checkPoint(6, name, true, true, reasonFlags, true, true);

    checkPoint(2, name, false, false, reasonFlags, false, false);

    checkPoint(0, null, false, false, null, false, false);

    try
    {
        IssuingDistributionPoint.getInstance(new Object());

        fail("getInstance() failed to detect bad object.");
    }
    catch (IllegalArgumentException e)
    {
        // expected
    }
}
 
Example 2
Project: gwt-crypto   File: IssuingDistributionPointUnitTest.java   Source Code and License 6 votes vote down vote up
private void checkPoint(
    int size,
    DistributionPointName distributionPoint,
    boolean onlyContainsUserCerts,
    boolean onlyContainsCACerts,
    ReasonFlags onlySomeReasons,
    boolean indirectCRL,
    boolean onlyContainsAttributeCerts)
    throws IOException
{
    IssuingDistributionPoint point = new IssuingDistributionPoint(distributionPoint, onlyContainsUserCerts, onlyContainsCACerts, onlySomeReasons, indirectCRL, onlyContainsAttributeCerts);

    checkValues(point, distributionPoint, onlyContainsUserCerts, onlyContainsCACerts, onlySomeReasons, indirectCRL, onlyContainsAttributeCerts);

    ASN1Sequence seq = ASN1Sequence.getInstance(ASN1Primitive.fromByteArray(point.getEncoded()));

    if (seq.size() != size)
    {
        fail("size mismatch");
    }

    point = IssuingDistributionPoint.getInstance(seq);

    checkValues(point, distributionPoint, onlyContainsUserCerts, onlyContainsCACerts, onlySomeReasons, indirectCRL, onlyContainsAttributeCerts);
}
 
Example 3
Project: irma_future_id   File: IssuingDistributionPointUnitTest.java   Source Code and License 6 votes vote down vote up
public void performTest()
    throws Exception
{
    DistributionPointName    name = new DistributionPointName(
                                          new GeneralNames(new GeneralName(new X509Name("cn=test"))));
    ReasonFlags reasonFlags = new ReasonFlags(ReasonFlags.cACompromise);

    checkPoint(6, name, true, true, reasonFlags, true, true);

    checkPoint(2, name, false, false, reasonFlags, false, false);

    checkPoint(0, null, false, false, null, false, false);

    try
    {
        IssuingDistributionPoint.getInstance(new Object());

        fail("getInstance() failed to detect bad object.");
    }
    catch (IllegalArgumentException e)
    {
        // expected
    }
}
 
Example 4
Project: irma_future_id   File: IssuingDistributionPointUnitTest.java   Source Code and License 6 votes vote down vote up
private void checkPoint(
    int size,
    DistributionPointName distributionPoint,
    boolean onlyContainsUserCerts,
    boolean onlyContainsCACerts,
    ReasonFlags onlySomeReasons,
    boolean indirectCRL,
    boolean onlyContainsAttributeCerts)
    throws IOException
{
    IssuingDistributionPoint point = new IssuingDistributionPoint(distributionPoint, onlyContainsUserCerts, onlyContainsCACerts, onlySomeReasons, indirectCRL, onlyContainsAttributeCerts);

    checkValues(point, distributionPoint, onlyContainsUserCerts, onlyContainsCACerts, onlySomeReasons, indirectCRL, onlyContainsAttributeCerts);

    ASN1Sequence seq = ASN1Sequence.getInstance(ASN1Primitive.fromByteArray(point.getEncoded()));

    if (seq.size() != size)
    {
        fail("size mismatch");
    }

    point = IssuingDistributionPoint.getInstance(seq);

    checkValues(point, distributionPoint, onlyContainsUserCerts, onlyContainsCACerts, onlySomeReasons, indirectCRL, onlyContainsAttributeCerts);
}
 
Example 5
Project: bc-java   File: IssuingDistributionPointUnitTest.java   Source Code and License 6 votes vote down vote up
public void performTest()
    throws Exception
{
    DistributionPointName    name = new DistributionPointName(
                                          new GeneralNames(new GeneralName(new X509Name("cn=test"))));
    ReasonFlags reasonFlags = new ReasonFlags(ReasonFlags.cACompromise);

    checkPoint(6, name, true, true, reasonFlags, true, true);

    checkPoint(2, name, false, false, reasonFlags, false, false);

    checkPoint(0, null, false, false, null, false, false);

    try
    {
        IssuingDistributionPoint.getInstance(new Object());

        fail("getInstance() failed to detect bad object.");
    }
    catch (IllegalArgumentException e)
    {
        // expected
    }
}
 
Example 6
Project: bc-java   File: IssuingDistributionPointUnitTest.java   Source Code and License 6 votes vote down vote up
private void checkPoint(
    int size,
    DistributionPointName distributionPoint,
    boolean onlyContainsUserCerts,
    boolean onlyContainsCACerts,
    ReasonFlags onlySomeReasons,
    boolean indirectCRL,
    boolean onlyContainsAttributeCerts)
    throws IOException
{
    IssuingDistributionPoint point = new IssuingDistributionPoint(distributionPoint, onlyContainsUserCerts, onlyContainsCACerts, onlySomeReasons, indirectCRL, onlyContainsAttributeCerts);

    checkValues(point, distributionPoint, onlyContainsUserCerts, onlyContainsCACerts, onlySomeReasons, indirectCRL, onlyContainsAttributeCerts);

    ASN1Sequence seq = ASN1Sequence.getInstance(ASN1Primitive.fromByteArray(point.getEncoded()));

    if (seq.size() != size)
    {
        fail("size mismatch");
    }

    point = IssuingDistributionPoint.getInstance(seq);

    checkValues(point, distributionPoint, onlyContainsUserCerts, onlyContainsCACerts, onlySomeReasons, indirectCRL, onlyContainsAttributeCerts);
}
 
Example 7
Project: ipack   File: X509CRLHolder.java   Source Code and License 5 votes vote down vote up
private static boolean isIndirectCRL(Extensions extensions)
{
    if (extensions == null)
    {
        return false;
    }

    Extension ext = extensions.getExtension(Extension.issuingDistributionPoint);

    return ext != null && IssuingDistributionPoint.getInstance(ext.getParsedValue()).isIndirectCRL();
}
 
Example 8
Project: ipack   File: X509CRLObject.java   Source Code and License 5 votes vote down vote up
static boolean isIndirectCRL(X509CRL crl)
    throws CRLException
{
    try
    {
        byte[] idp = crl.getExtensionValue(Extension.issuingDistributionPoint.getId());
        return idp != null
            && IssuingDistributionPoint.getInstance(ASN1OctetString.getInstance(idp).getOctets()).isIndirectCRL();
    }
    catch (Exception e)
    {
        throw new ExtCRLException(
                "Exception reading IssuingDistributionPoint", e);
    }
}
 
Example 9
Project: ipack   File: RFC3280CertPathUtilities.java   Source Code and License 5 votes vote down vote up
protected static ReasonsMask processCRLD(
    X509CRL crl,
    DistributionPoint dp)
    throws AnnotatedException
{
    IssuingDistributionPoint idp = null;
    try
    {
        idp = IssuingDistributionPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(crl,
            RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT));
    }
    catch (Exception e)
    {
        throw new AnnotatedException("Issuing distribution point extension could not be decoded.", e);
    }
    // (d) (1)
    if (idp != null && idp.getOnlySomeReasons() != null && dp.getReasons() != null)
    {
        return new ReasonsMask(dp.getReasons()).intersect(new ReasonsMask(idp.getOnlySomeReasons()));
    }
    // (d) (4)
    if ((idp == null || idp.getOnlySomeReasons() == null) && dp.getReasons() == null)
    {
        return ReasonsMask.allReasons;
    }
    // (d) (2) and (d)(3)
    return (dp.getReasons() == null
        ? ReasonsMask.allReasons
        : new ReasonsMask(dp.getReasons())).intersect(idp == null
        ? ReasonsMask.allReasons
        : new ReasonsMask(idp.getOnlySomeReasons()));

}
 
Example 10
Project: ipack   File: X509CRLObject.java   Source Code and License 5 votes vote down vote up
static boolean isIndirectCRL(X509CRL crl)
    throws CRLException
{
    try
    {
        byte[] idp = crl.getExtensionValue(Extension.issuingDistributionPoint.getId());
        return idp != null
            && IssuingDistributionPoint.getInstance(ASN1OctetString.getInstance(idp).getOctets()).isIndirectCRL();
    }
    catch (Exception e)
    {
        throw new ExtCRLException(
                "Exception reading IssuingDistributionPoint", e);
    }
}
 
Example 11
Project: gwt-crypto   File: X509CRLHolder.java   Source Code and License 5 votes vote down vote up
private static boolean isIndirectCRL(Extensions extensions)
{
    if (extensions == null)
    {
        return false;
    }

    Extension ext = extensions.getExtension(Extension.issuingDistributionPoint);

    return ext != null && IssuingDistributionPoint.getInstance(ext.getParsedValue()).isIndirectCRL();
}
 
Example 12
Project: gwt-crypto   File: IssuingDistributionPointUnitTest.java   Source Code and License 5 votes vote down vote up
private void checkValues(IssuingDistributionPoint point, DistributionPointName distributionPoint, boolean onlyContainsUserCerts, boolean onlyContainsCACerts, ReasonFlags onlySomeReasons, boolean indirectCRL, boolean onlyContainsAttributeCerts)
{
    if (point.onlyContainsUserCerts() != onlyContainsUserCerts)
    {
        fail("mismatch on onlyContainsUserCerts");
    }

    if (point.onlyContainsCACerts() != onlyContainsCACerts)
    {
        fail("mismatch on onlyContainsCACerts");
    }

    if (point.isIndirectCRL() != indirectCRL)
    {
        fail("mismatch on indirectCRL");
    }

    if (point.onlyContainsAttributeCerts() != onlyContainsAttributeCerts)
    {
        fail("mismatch on onlyContainsAttributeCerts");
    }

    if (!isEquiv(onlySomeReasons, point.getOnlySomeReasons()))
    {
        fail("mismatch on onlySomeReasons");
    }

    if (!isEquiv(distributionPoint, point.getDistributionPoint()))
    {
        fail("mismatch on distributionPoint");
    }
}
 
Example 13
Project: Aki-SSL   File: CertPathValidatorUtilities.java   Source Code and License 5 votes vote down vote up
static boolean isIndirectCRL(X509CRL crl)
    throws CRLException
{
    try
    {
        byte[] idp = crl.getExtensionValue(Extension.issuingDistributionPoint.getId());
        return idp != null
            && IssuingDistributionPoint.getInstance(ASN1OctetString.getInstance(idp).getOctets()).isIndirectCRL();
    }
    catch (Exception e)
    {
        throw new CRLException(
                "Exception reading IssuingDistributionPoint: " + e);
    }
}
 
Example 14
Project: Aki-SSL   File: X509CRLHolder.java   Source Code and License 5 votes vote down vote up
private static boolean isIndirectCRL(Extensions extensions)
{
    if (extensions == null)
    {
        return false;
    }

    Extension ext = extensions.getExtension(Extension.issuingDistributionPoint);

    return ext != null && IssuingDistributionPoint.getInstance(ext.getParsedValue()).isIndirectCRL();
}
 
Example 15
Project: Aki-SSL   File: X509CRLObject.java   Source Code and License 5 votes vote down vote up
public static boolean isIndirectCRL(X509CRL crl)
    throws CRLException
{
    try
    {
        byte[] idp = crl.getExtensionValue(Extension.issuingDistributionPoint.getId());
        return idp != null
            && IssuingDistributionPoint.getInstance(ASN1OctetString.getInstance(idp).getOctets()).isIndirectCRL();
    }
    catch (Exception e)
    {
        throw new ExtCRLException(
                "Exception reading IssuingDistributionPoint", e);
    }
}
 
Example 16
Project: Aki-SSL   File: RFC3280CertPathUtilities.java   Source Code and License 5 votes vote down vote up
protected static ReasonsMask processCRLD(
    X509CRL crl,
    DistributionPoint dp)
    throws AnnotatedException
{
    IssuingDistributionPoint idp = null;
    try
    {
        idp = IssuingDistributionPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(crl,
            RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT));
    }
    catch (Exception e)
    {
        throw new AnnotatedException("Issuing distribution point extension could not be decoded.", e);
    }
    // (d) (1)
    if (idp != null && idp.getOnlySomeReasons() != null && dp.getReasons() != null)
    {
        return new ReasonsMask(dp.getReasons()).intersect(new ReasonsMask(idp.getOnlySomeReasons()));
    }
    // (d) (4)
    if ((idp == null || idp.getOnlySomeReasons() == null) && dp.getReasons() == null)
    {
        return ReasonsMask.allReasons;
    }
    // (d) (2) and (d)(3)
    return (dp.getReasons() == null
        ? ReasonsMask.allReasons
        : new ReasonsMask(dp.getReasons())).intersect(idp == null
        ? ReasonsMask.allReasons
        : new ReasonsMask(idp.getOnlySomeReasons()));

}
 
Example 17
Project: Aki-SSL   File: X509CRLObject.java   Source Code and License 5 votes vote down vote up
static boolean isIndirectCRL(X509CRL crl)
    throws CRLException
{
    try
    {
        byte[] idp = crl.getExtensionValue(Extension.issuingDistributionPoint.getId());
        return idp != null
            && IssuingDistributionPoint.getInstance(ASN1OctetString.getInstance(idp).getOctets()).isIndirectCRL();
    }
    catch (Exception e)
    {
        throw new ExtCRLException(
                "Exception reading IssuingDistributionPoint", e);
    }
}
 
Example 18
Project: dss   File: AbstractCRLUtils.java   Source Code and License 5 votes vote down vote up
protected void checkCriticalExtensions(CRLValidity validity, Collection<String> criticalExtensionsOid, byte[] issuingDistributionPointBinary) {
	if (criticalExtensionsOid == null || criticalExtensionsOid.isEmpty()) {
		validity.setUnknownCriticalExtension(false);
	} else {
		IssuingDistributionPoint issuingDistributionPoint = IssuingDistributionPoint
				.getInstance(ASN1OctetString.getInstance(issuingDistributionPointBinary).getOctets());
		final boolean onlyAttributeCerts = issuingDistributionPoint.onlyContainsAttributeCerts();
		final boolean onlyCaCerts = issuingDistributionPoint.onlyContainsCACerts();
		final boolean onlyUserCerts = issuingDistributionPoint.onlyContainsUserCerts();
		final boolean indirectCrl = issuingDistributionPoint.isIndirectCRL();
		ReasonFlags onlySomeReasons = issuingDistributionPoint.getOnlySomeReasons();
		DistributionPointName distributionPoint = issuingDistributionPoint.getDistributionPoint();
		boolean urlFound = false;
		if (DistributionPointName.FULL_NAME == distributionPoint.getType()) {
			final GeneralNames generalNames = (GeneralNames) distributionPoint.getName();
			if ((generalNames != null) && (generalNames.getNames() != null && generalNames.getNames().length > 0)) {
				for (GeneralName generalName : generalNames.getNames()) {
					if (GeneralName.uniformResourceIdentifier == generalName.getTagNo()) {
						ASN1String str = (ASN1String) ((DERTaggedObject) generalName.toASN1Primitive()).getObject();
						validity.setUrl(str.getString());
						urlFound = true;
					}
				}
			}
		}

		if (!(onlyAttributeCerts && onlyCaCerts && onlyUserCerts && indirectCrl) && (onlySomeReasons == null) && urlFound) {
			validity.setUnknownCriticalExtension(false);
		}
	}
}
 
Example 19
Project: jtrust   File: CrlTrustLinker.java   Source Code and License 5 votes vote down vote up
private boolean isIndirectCRL(X509CRL crl) {
	byte[] idp = crl.getExtensionValue(Extension.issuingDistributionPoint
			.getId());
	boolean isIndirect = false;
	if (idp != null) {
		isIndirect = IssuingDistributionPoint.getInstance(idp)
				.isIndirectCRL();
	}

	return isIndirect;
}
 
Example 20
Project: CryptMeme   File: X509CRLObject.java   Source Code and License 5 votes vote down vote up
static boolean isIndirectCRL(X509CRL crl)
    throws CRLException
{
    try
    {
        byte[] idp = crl.getExtensionValue(Extension.issuingDistributionPoint.getId());
        return idp != null
            && IssuingDistributionPoint.getInstance(ASN1OctetString.getInstance(idp).getOctets()).isIndirectCRL();
    }
    catch (Exception e)
    {
        throw new ExtCRLException(
                "Exception reading IssuingDistributionPoint", e);
    }
}
 
Example 21
Project: CryptMeme   File: RFC3280CertPathUtilities.java   Source Code and License 5 votes vote down vote up
protected static ReasonsMask processCRLD(
    X509CRL crl,
    DistributionPoint dp)
    throws AnnotatedException
{
    IssuingDistributionPoint idp = null;
    try
    {
        idp = IssuingDistributionPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(crl,
            RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT));
    }
    catch (Exception e)
    {
        throw new AnnotatedException("Issuing distribution point extension could not be decoded.", e);
    }
    // (d) (1)
    if (idp != null && idp.getOnlySomeReasons() != null && dp.getReasons() != null)
    {
        return new ReasonsMask(dp.getReasons()).intersect(new ReasonsMask(idp.getOnlySomeReasons()));
    }
    // (d) (4)
    if ((idp == null || idp.getOnlySomeReasons() == null) && dp.getReasons() == null)
    {
        return ReasonsMask.allReasons;
    }
    // (d) (2) and (d)(3)
    return (dp.getReasons() == null
        ? ReasonsMask.allReasons
        : new ReasonsMask(dp.getReasons())).intersect(idp == null
        ? ReasonsMask.allReasons
        : new ReasonsMask(idp.getOnlySomeReasons()));

}
 
Example 22
Project: CryptMeme   File: X509CRLObject.java   Source Code and License 5 votes vote down vote up
static boolean isIndirectCRL(X509CRL crl)
    throws CRLException
{
    try
    {
        byte[] idp = crl.getExtensionValue(Extension.issuingDistributionPoint.getId());
        return idp != null
            && IssuingDistributionPoint.getInstance(ASN1OctetString.getInstance(idp).getOctets()).isIndirectCRL();
    }
    catch (Exception e)
    {
        throw new ExtCRLException(
                "Exception reading IssuingDistributionPoint", e);
    }
}
 
Example 23
Project: irma_future_id   File: X509CRLHolder.java   Source Code and License 5 votes vote down vote up
private static boolean isIndirectCRL(Extensions extensions)
{
    if (extensions == null)
    {
        return false;
    }

    Extension ext = extensions.getExtension(Extension.issuingDistributionPoint);

    return ext != null && IssuingDistributionPoint.getInstance(ext.getParsedValue()).isIndirectCRL();
}
 
Example 24
Project: irma_future_id   File: IssuingDistributionPointUnitTest.java   Source Code and License 5 votes vote down vote up
private void checkValues(IssuingDistributionPoint point, DistributionPointName distributionPoint, boolean onlyContainsUserCerts, boolean onlyContainsCACerts, ReasonFlags onlySomeReasons, boolean indirectCRL, boolean onlyContainsAttributeCerts)
{
    if (point.onlyContainsUserCerts() != onlyContainsUserCerts)
    {
        fail("mismatch on onlyContainsUserCerts");
    }

    if (point.onlyContainsCACerts() != onlyContainsCACerts)
    {
        fail("mismatch on onlyContainsCACerts");
    }

    if (point.isIndirectCRL() != indirectCRL)
    {
        fail("mismatch on indirectCRL");
    }

    if (point.onlyContainsAttributeCerts() != onlyContainsAttributeCerts)
    {
        fail("mismatch on onlyContainsAttributeCerts");
    }

    if (!isEquiv(onlySomeReasons, point.getOnlySomeReasons()))
    {
        fail("mismatch on onlySomeReasons");
    }

    if (!isEquiv(distributionPoint, point.getDistributionPoint()))
    {
        fail("mismatch on distributionPoint");
    }
}
 
Example 25
Project: irma_future_id   File: X509CRLObject.java   Source Code and License 5 votes vote down vote up
static boolean isIndirectCRL(X509CRL crl)
    throws CRLException
{
    try
    {
        byte[] idp = crl.getExtensionValue(Extension.issuingDistributionPoint.getId());
        return idp != null
            && IssuingDistributionPoint.getInstance(ASN1OctetString.getInstance(idp).getOctets()).isIndirectCRL();
    }
    catch (Exception e)
    {
        throw new ExtCRLException(
                "Exception reading IssuingDistributionPoint", e);
    }
}
 
Example 26
Project: irma_future_id   File: RFC3280CertPathUtilities.java   Source Code and License 5 votes vote down vote up
protected static ReasonsMask processCRLD(
    X509CRL crl,
    DistributionPoint dp)
    throws AnnotatedException
{
    IssuingDistributionPoint idp = null;
    try
    {
        idp = IssuingDistributionPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(crl,
            RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT));
    }
    catch (Exception e)
    {
        throw new AnnotatedException("Issuing distribution point extension could not be decoded.", e);
    }
    // (d) (1)
    if (idp != null && idp.getOnlySomeReasons() != null && dp.getReasons() != null)
    {
        return new ReasonsMask(dp.getReasons()).intersect(new ReasonsMask(idp.getOnlySomeReasons()));
    }
    // (d) (4)
    if ((idp == null || idp.getOnlySomeReasons() == null) && dp.getReasons() == null)
    {
        return ReasonsMask.allReasons;
    }
    // (d) (2) and (d)(3)
    return (dp.getReasons() == null
        ? ReasonsMask.allReasons
        : new ReasonsMask(dp.getReasons())).intersect(idp == null
        ? ReasonsMask.allReasons
        : new ReasonsMask(idp.getOnlySomeReasons()));

}
 
Example 27
Project: irma_future_id   File: X509CRLObject.java   Source Code and License 5 votes vote down vote up
static boolean isIndirectCRL(X509CRL crl)
    throws CRLException
{
    try
    {
        byte[] idp = crl.getExtensionValue(Extension.issuingDistributionPoint.getId());
        return idp != null
            && IssuingDistributionPoint.getInstance(ASN1OctetString.getInstance(idp).getOctets()).isIndirectCRL();
    }
    catch (Exception e)
    {
        throw new ExtCRLException(
                "Exception reading IssuingDistributionPoint", e);
    }
}
 
Example 28
Project: irma_future_id   File: X509CRLObject.java   Source Code and License 5 votes vote down vote up
static boolean isIndirectCRL(X509CRL crl)
    throws CRLException
{
    try
    {
        byte[] idp = crl.getExtensionValue(Extension.issuingDistributionPoint.getId());
        return idp != null
            && IssuingDistributionPoint.getInstance(X509ExtensionUtil.fromExtensionValue(idp)).isIndirectCRL();
    }
    catch (Exception e)
    {
        throw new ExtCRLException(
                "Exception reading IssuingDistributionPoint", e);
    }
}
 
Example 29
Project: irma_future_id   File: RFC3280CertPathUtilities.java   Source Code and License 5 votes vote down vote up
protected static ReasonsMask processCRLD(
    X509CRL crl,
    DistributionPoint dp)
    throws AnnotatedException
{
    IssuingDistributionPoint idp = null;
    try
    {
        idp = IssuingDistributionPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(crl,
            RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT));
    }
    catch (Exception e)
    {
        throw new AnnotatedException("Issuing distribution point extension could not be decoded.", e);
    }
    // (d) (1)
    if (idp != null && idp.getOnlySomeReasons() != null && dp.getReasons() != null)
    {
        return new ReasonsMask(dp.getReasons()).intersect(new ReasonsMask(idp.getOnlySomeReasons()));
    }
    // (d) (4)
    if ((idp == null || idp.getOnlySomeReasons() == null) && dp.getReasons() == null)
    {
        return ReasonsMask.allReasons;
    }
    // (d) (2) and (d)(3)
    return (dp.getReasons() == null
        ? ReasonsMask.allReasons
        : new ReasonsMask(dp.getReasons())).intersect(idp == null
        ? ReasonsMask.allReasons
        : new ReasonsMask(idp.getOnlySomeReasons()));

}
 
Example 30
Project: irma_future_id   File: X509CRLObject.java   Source Code and License 5 votes vote down vote up
static boolean isIndirectCRL(X509CRL crl)
    throws CRLException
{
    try
    {
        byte[] idp = crl.getExtensionValue(Extension.issuingDistributionPoint.getId());
        return idp != null
            && IssuingDistributionPoint.getInstance(X509ExtensionUtil.fromExtensionValue(idp)).isIndirectCRL();
    }
    catch (Exception e)
    {
        throw new ExtCRLException(
                "Exception reading IssuingDistributionPoint", e);
    }
}
 
Example 31
Project: irma_future_id   File: X509CRLObject.java   Source Code and License 5 votes vote down vote up
static boolean isIndirectCRL(X509CRL crl)
    throws CRLException
{
    try
    {
        byte[] idp = crl.getExtensionValue(Extension.issuingDistributionPoint.getId());
        return idp != null
            && IssuingDistributionPoint.getInstance(X509ExtensionUtil.fromExtensionValue(idp)).isIndirectCRL();
    }
    catch (Exception e)
    {
        throw new ExtCRLException(
                "Exception reading IssuingDistributionPoint", e);
    }
}
 
Example 32
Project: bc-java   File: X509CRLHolder.java   Source Code and License 5 votes vote down vote up
private static boolean isIndirectCRL(Extensions extensions)
{
    if (extensions == null)
    {
        return false;
    }

    Extension ext = extensions.getExtension(Extension.issuingDistributionPoint);

    return ext != null && IssuingDistributionPoint.getInstance(ext.getParsedValue()).isIndirectCRL();
}
 
Example 33
Project: bc-java   File: IssuingDistributionPointUnitTest.java   Source Code and License 5 votes vote down vote up
private void checkValues(IssuingDistributionPoint point, DistributionPointName distributionPoint, boolean onlyContainsUserCerts, boolean onlyContainsCACerts, ReasonFlags onlySomeReasons, boolean indirectCRL, boolean onlyContainsAttributeCerts)
{
    if (point.onlyContainsUserCerts() != onlyContainsUserCerts)
    {
        fail("mismatch on onlyContainsUserCerts");
    }

    if (point.onlyContainsCACerts() != onlyContainsCACerts)
    {
        fail("mismatch on onlyContainsCACerts");
    }

    if (point.isIndirectCRL() != indirectCRL)
    {
        fail("mismatch on indirectCRL");
    }

    if (point.onlyContainsAttributeCerts() != onlyContainsAttributeCerts)
    {
        fail("mismatch on onlyContainsAttributeCerts");
    }

    if (!isEquiv(onlySomeReasons, point.getOnlySomeReasons()))
    {
        fail("mismatch on onlySomeReasons");
    }

    if (!isEquiv(distributionPoint, point.getDistributionPoint()))
    {
        fail("mismatch on distributionPoint");
    }
}
 
Example 34
Project: bc-java   File: X509CRLObject.java   Source Code and License 5 votes vote down vote up
static boolean isIndirectCRL(X509CRL crl)
    throws CRLException
{
    try
    {
        byte[] idp = crl.getExtensionValue(Extension.issuingDistributionPoint.getId());
        return idp != null
            && IssuingDistributionPoint.getInstance(ASN1OctetString.getInstance(idp).getOctets()).isIndirectCRL();
    }
    catch (Exception e)
    {
        throw new ExtCRLException(
                "Exception reading IssuingDistributionPoint", e);
    }
}
 
Example 35
Project: bc-java   File: RFC3280CertPathUtilities.java   Source Code and License 5 votes vote down vote up
protected static ReasonsMask processCRLD(
    X509CRL crl,
    DistributionPoint dp)
    throws AnnotatedException
{
    IssuingDistributionPoint idp = null;
    try
    {
        idp = IssuingDistributionPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(crl,
            RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT));
    }
    catch (Exception e)
    {
        throw new AnnotatedException("Issuing distribution point extension could not be decoded.", e);
    }
    // (d) (1)
    if (idp != null && idp.getOnlySomeReasons() != null && dp.getReasons() != null)
    {
        return new ReasonsMask(dp.getReasons()).intersect(new ReasonsMask(idp.getOnlySomeReasons()));
    }
    // (d) (4)
    if ((idp == null || idp.getOnlySomeReasons() == null) && dp.getReasons() == null)
    {
        return ReasonsMask.allReasons;
    }
    // (d) (2) and (d)(3)
    return (dp.getReasons() == null
        ? ReasonsMask.allReasons
        : new ReasonsMask(dp.getReasons())).intersect(idp == null
        ? ReasonsMask.allReasons
        : new ReasonsMask(idp.getOnlySomeReasons()));

}
 
Example 36
Project: bc-java   File: X509CRLObject.java   Source Code and License 5 votes vote down vote up
static boolean isIndirectCRL(X509CRL crl)
    throws CRLException
{
    try
    {
        byte[] idp = crl.getExtensionValue(Extension.issuingDistributionPoint.getId());
        return idp != null
            && IssuingDistributionPoint.getInstance(ASN1OctetString.getInstance(idp).getOctets()).isIndirectCRL();
    }
    catch (Exception e)
    {
        throw new ExtCRLException(
                "Exception reading IssuingDistributionPoint", e);
    }
}
 
Example 37
Project: bc-java   File: X509CRLObject.java   Source Code and License 5 votes vote down vote up
static boolean isIndirectCRL(X509CRL crl)
    throws CRLException
{
    try
    {
        byte[] idp = crl.getExtensionValue(Extension.issuingDistributionPoint.getId());
        return idp != null
            && IssuingDistributionPoint.getInstance(X509ExtensionUtil.fromExtensionValue(idp)).isIndirectCRL();
    }
    catch (Exception e)
    {
        throw new ExtCRLException(
                "Exception reading IssuingDistributionPoint", e);
    }
}
 
Example 38
Project: bc-java   File: RFC3280CertPathUtilities.java   Source Code and License 5 votes vote down vote up
protected static ReasonsMask processCRLD(
    X509CRL crl,
    DistributionPoint dp)
    throws AnnotatedException
{
    IssuingDistributionPoint idp = null;
    try
    {
        idp = IssuingDistributionPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(crl,
            RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT));
    }
    catch (Exception e)
    {
        throw new AnnotatedException("Issuing distribution point extension could not be decoded.", e);
    }
    // (d) (1)
    if (idp != null && idp.getOnlySomeReasons() != null && dp.getReasons() != null)
    {
        return new ReasonsMask(dp.getReasons()).intersect(new ReasonsMask(idp.getOnlySomeReasons()));
    }
    // (d) (4)
    if ((idp == null || idp.getOnlySomeReasons() == null) && dp.getReasons() == null)
    {
        return ReasonsMask.allReasons;
    }
    // (d) (2) and (d)(3)
    return (dp.getReasons() == null
        ? ReasonsMask.allReasons
        : new ReasonsMask(dp.getReasons())).intersect(idp == null
        ? ReasonsMask.allReasons
        : new ReasonsMask(idp.getOnlySomeReasons()));

}
 
Example 39
Project: bc-java   File: X509CRLObject.java   Source Code and License 5 votes vote down vote up
static boolean isIndirectCRL(X509CRL crl)
    throws CRLException
{
    try
    {
        byte[] idp = crl.getExtensionValue(Extension.issuingDistributionPoint.getId());
        return idp != null
            && IssuingDistributionPoint.getInstance(X509ExtensionUtil.fromExtensionValue(idp)).isIndirectCRL();
    }
    catch (Exception e)
    {
        throw new ExtCRLException(
                "Exception reading IssuingDistributionPoint", e);
    }
}
 
Example 40
Project: bc-java   File: X509CRLObject.java   Source Code and License 5 votes vote down vote up
static boolean isIndirectCRL(X509CRL crl)
    throws CRLException
{
    try
    {
        byte[] idp = crl.getExtensionValue(Extension.issuingDistributionPoint.getId());
        return idp != null
            && IssuingDistributionPoint.getInstance(X509ExtensionUtil.fromExtensionValue(idp)).isIndirectCRL();
    }
    catch (Exception e)
    {
        throw new ExtCRLException(
                "Exception reading IssuingDistributionPoint", e);
    }
}
 
Example 41
Project: ipack   File: RFC3280CertPathUtilities.java   Source Code and License 4 votes vote down vote up
/**
 * If the DP includes cRLIssuer, then verify that the issuer field in the
 * complete CRL matches cRLIssuer in the DP and that the complete CRL
 * contains an issuing distribution point extension with the indirectCRL
 * boolean asserted. Otherwise, verify that the CRL issuer matches the
 * certificate issuer.
 *
 * @param dp   The distribution point.
 * @param cert The certificate ot attribute certificate.
 * @param crl  The CRL for <code>cert</code>.
 * @throws AnnotatedException if one of the above conditions does not apply or an error
 *                            occurs.
 */
protected static void processCRLB1(
    DistributionPoint dp,
    Object cert,
    X509CRL crl)
    throws AnnotatedException
{
    ASN1Primitive idp = CertPathValidatorUtilities.getExtensionValue(crl, ISSUING_DISTRIBUTION_POINT);
    boolean isIndirect = false;
    if (idp != null)
    {
        if (IssuingDistributionPoint.getInstance(idp).isIndirectCRL())
        {
            isIndirect = true;
        }
    }
    byte[] issuerBytes = CertPathValidatorUtilities.getIssuerPrincipal(crl).getEncoded();

    boolean matchIssuer = false;
    if (dp.getCRLIssuer() != null)
    {
        GeneralName genNames[] = dp.getCRLIssuer().getNames();
        for (int j = 0; j < genNames.length; j++)
        {
            if (genNames[j].getTagNo() == GeneralName.directoryName)
            {
                try
                {
                    if (Arrays.areEqual(genNames[j].getName().toASN1Primitive().getEncoded(), issuerBytes))
                    {
                        matchIssuer = true;
                    }
                }
                catch (IOException e)
                {
                    throw new AnnotatedException(
                        "CRL issuer information from distribution point cannot be decoded.", e);
                }
            }
        }
        if (matchIssuer && !isIndirect)
        {
            throw new AnnotatedException("Distribution point contains cRLIssuer field but CRL is not indirect.");
        }
        if (!matchIssuer)
        {
            throw new AnnotatedException("CRL issuer of CRL does not match CRL issuer of distribution point.");
        }
    }
    else
    {
        if (CertPathValidatorUtilities.getIssuerPrincipal(crl).equals(
            CertPathValidatorUtilities.getEncodedIssuerPrincipal(cert)))
        {
            matchIssuer = true;
        }
    }
    if (!matchIssuer)
    {
        throw new AnnotatedException("Cannot find matching CRL issuer for certificate.");
    }
}
 
Example 42
Project: keystore-explorer   File: X509Ext.java   Source Code and License 4 votes vote down vote up
private String getIssuingDistributionPointStringValue(byte[] value) throws IOException {
	// @formatter:off

	/*
	 * IssuingDistributionPoint ::= ASN1Sequence {
	 *     distributionPoint [0] DistributionPointName OPTIONAL,
	 *     onlyContainsUserCerts [1] ASN1Boolean DEFAULT FALSE,
	 *     onlyContainsCACerts [2] ASN1Boolean DEFAULT FALSE,
	 *     onlySomeReasons [3] ReasonFlags OPTIONAL,
	 *     indirectCRL [4] ASN1Boolean DEFAULT FALSE,
	 *     onlyContainsAttributeCerts [5] ASN1Boolean DEFAULT FALSE }
	 */

	// @formatter:on

	/*
	 * Getting any DEFAULTS returns a false ASN1Boolean when no value
	 * present which saves the bother of a null check
	 */

	StringBuilder sb = new StringBuilder();

	IssuingDistributionPoint issuingDistributionPoint = IssuingDistributionPoint.getInstance(value);

	DistributionPointName distributionPointName = issuingDistributionPoint.getDistributionPoint();

	if (distributionPointName != null) { // Optional
		sb.append(getDistributionPointNameString(distributionPointName, ""));
	}

	boolean onlyContainsUserCerts = issuingDistributionPoint.onlyContainsUserCerts();
	sb.append(MessageFormat.format(res.getString("OnlyContainsUserCerts"), onlyContainsUserCerts));
	sb.append(NEWLINE);

	boolean onlyContainsCaCerts = issuingDistributionPoint.onlyContainsCACerts();
	sb.append(MessageFormat.format(res.getString("OnlyContainsCaCerts"), onlyContainsCaCerts));
	sb.append(NEWLINE);

	ReasonFlags onlySomeReasons = issuingDistributionPoint.getOnlySomeReasons();
	if (onlySomeReasons != null) {// Optional
		sb.append(res.getString("OnlySomeReasons"));
		sb.append(NEWLINE);

		String[] reasonFlags = getReasonFlagsStrings(onlySomeReasons);

		for (String reasonFlag : reasonFlags) {
			sb.append(INDENT);
			sb.append(reasonFlag);
			sb.append(NEWLINE);
		}
	}

	boolean indirectCrl = issuingDistributionPoint.isIndirectCRL();
	sb.append(MessageFormat.format(res.getString("IndirectCrl"), indirectCrl));
	sb.append(NEWLINE);

	boolean onlyContainsAttributeCerts = issuingDistributionPoint.onlyContainsAttributeCerts();
	sb.append(MessageFormat.format(res.getString("OnlyContainsAttributeCerts"), onlyContainsAttributeCerts));
	sb.append(NEWLINE);

	return sb.toString();
}
 
Example 43
Project: CryptMeme   File: RFC3280CertPathUtilities.java   Source Code and License 4 votes vote down vote up
/**
 * If the DP includes cRLIssuer, then verify that the issuer field in the
 * complete CRL matches cRLIssuer in the DP and that the complete CRL
 * contains an issuing distribution point extension with the indirectCRL
 * boolean asserted. Otherwise, verify that the CRL issuer matches the
 * certificate issuer.
 *
 * @param dp   The distribution point.
 * @param cert The certificate ot attribute certificate.
 * @param crl  The CRL for <code>cert</code>.
 * @throws AnnotatedException if one of the above conditions does not apply or an error
 *                            occurs.
 */
protected static void processCRLB1(
    DistributionPoint dp,
    Object cert,
    X509CRL crl)
    throws AnnotatedException
{
    ASN1Primitive idp = CertPathValidatorUtilities.getExtensionValue(crl, ISSUING_DISTRIBUTION_POINT);
    boolean isIndirect = false;
    if (idp != null)
    {
        if (IssuingDistributionPoint.getInstance(idp).isIndirectCRL())
        {
            isIndirect = true;
        }
    }
    byte[] issuerBytes = CertPathValidatorUtilities.getIssuerPrincipal(crl).getEncoded();

    boolean matchIssuer = false;
    if (dp.getCRLIssuer() != null)
    {
        GeneralName genNames[] = dp.getCRLIssuer().getNames();
        for (int j = 0; j < genNames.length; j++)
        {
            if (genNames[j].getTagNo() == GeneralName.directoryName)
            {
                try
                {
                    if (Arrays.areEqual(genNames[j].getName().toASN1Primitive().getEncoded(), issuerBytes))
                    {
                        matchIssuer = true;
                    }
                }
                catch (IOException e)
                {
                    throw new AnnotatedException(
                        "CRL issuer information from distribution point cannot be decoded.", e);
                }
            }
        }
        if (matchIssuer && !isIndirect)
        {
            throw new AnnotatedException("Distribution point contains cRLIssuer field but CRL is not indirect.");
        }
        if (!matchIssuer)
        {
            throw new AnnotatedException("CRL issuer of CRL does not match CRL issuer of distribution point.");
        }
    }
    else
    {
        if (CertPathValidatorUtilities.getIssuerPrincipal(crl).equals(
            CertPathValidatorUtilities.getEncodedIssuerPrincipal(cert)))
        {
            matchIssuer = true;
        }
    }
    if (!matchIssuer)
    {
        throw new AnnotatedException("Cannot find matching CRL issuer for certificate.");
    }
}
 
Example 44
Project: irma_future_id   File: RFC3280CertPathUtilities.java   Source Code and License 4 votes vote down vote up
/**
 * If the DP includes cRLIssuer, then verify that the issuer field in the
 * complete CRL matches cRLIssuer in the DP and that the complete CRL
 * contains an issuing distribution point extension with the indirectCRL
 * boolean asserted. Otherwise, verify that the CRL issuer matches the
 * certificate issuer.
 *
 * @param dp   The distribution point.
 * @param cert The certificate ot attribute certificate.
 * @param crl  The CRL for <code>cert</code>.
 * @throws AnnotatedException if one of the above conditions does not apply or an error
 *                            occurs.
 */
protected static void processCRLB1(
    DistributionPoint dp,
    Object cert,
    X509CRL crl)
    throws AnnotatedException
{
    ASN1Primitive idp = CertPathValidatorUtilities.getExtensionValue(crl, ISSUING_DISTRIBUTION_POINT);
    boolean isIndirect = false;
    if (idp != null)
    {
        if (IssuingDistributionPoint.getInstance(idp).isIndirectCRL())
        {
            isIndirect = true;
        }
    }
    byte[] issuerBytes = CertPathValidatorUtilities.getIssuerPrincipal(crl).getEncoded();

    boolean matchIssuer = false;
    if (dp.getCRLIssuer() != null)
    {
        GeneralName genNames[] = dp.getCRLIssuer().getNames();
        for (int j = 0; j < genNames.length; j++)
        {
            if (genNames[j].getTagNo() == GeneralName.directoryName)
            {
                try
                {
                    if (Arrays.areEqual(genNames[j].getName().toASN1Primitive().getEncoded(), issuerBytes))
                    {
                        matchIssuer = true;
                    }
                }
                catch (IOException e)
                {
                    throw new AnnotatedException(
                        "CRL issuer information from distribution point cannot be decoded.", e);
                }
            }
        }
        if (matchIssuer && !isIndirect)
        {
            throw new AnnotatedException("Distribution point contains cRLIssuer field but CRL is not indirect.");
        }
        if (!matchIssuer)
        {
            throw new AnnotatedException("CRL issuer of CRL does not match CRL issuer of distribution point.");
        }
    }
    else
    {
        if (CertPathValidatorUtilities.getIssuerPrincipal(crl).equals(
            CertPathValidatorUtilities.getEncodedIssuerPrincipal(cert)))
        {
            matchIssuer = true;
        }
    }
    if (!matchIssuer)
    {
        throw new AnnotatedException("Cannot find matching CRL issuer for certificate.");
    }
}
 
Example 45
Project: irma_future_id   File: RFC3280CertPathUtilities.java   Source Code and License 4 votes vote down vote up
/**
 * If the DP includes cRLIssuer, then verify that the issuer field in the
 * complete CRL matches cRLIssuer in the DP and that the complete CRL
 * contains an issuing distribution point extension with the indirectCRL
 * boolean asserted. Otherwise, verify that the CRL issuer matches the
 * certificate issuer.
 *
 * @param dp   The distribution point.
 * @param cert The certificate ot attribute certificate.
 * @param crl  The CRL for <code>cert</code>.
 * @throws AnnotatedException if one of the above conditions does not apply or an error
 *                            occurs.
 */
protected static void processCRLB1(
    DistributionPoint dp,
    Object cert,
    X509CRL crl)
    throws AnnotatedException
{
    ASN1Primitive idp = CertPathValidatorUtilities.getExtensionValue(crl, ISSUING_DISTRIBUTION_POINT);
    boolean isIndirect = false;
    if (idp != null)
    {
        if (IssuingDistributionPoint.getInstance(idp).isIndirectCRL())
        {
            isIndirect = true;
        }
    }
    byte[] issuerBytes = CertPathValidatorUtilities.getIssuerPrincipal(crl).getEncoded();

    boolean matchIssuer = false;
    if (dp.getCRLIssuer() != null)
    {
        GeneralName genNames[] = dp.getCRLIssuer().getNames();
        for (int j = 0; j < genNames.length; j++)
        {
            if (genNames[j].getTagNo() == GeneralName.directoryName)
            {
                try
                {
                    if (Arrays.areEqual(genNames[j].getName().toASN1Primitive().getEncoded(), issuerBytes))
                    {
                        matchIssuer = true;
                    }
                }
                catch (IOException e)
                {
                    throw new AnnotatedException(
                        "CRL issuer information from distribution point cannot be decoded.", e);
                }
            }
        }
        if (matchIssuer && !isIndirect)
        {
            throw new AnnotatedException("Distribution point contains cRLIssuer field but CRL is not indirect.");
        }
        if (!matchIssuer)
        {
            throw new AnnotatedException("CRL issuer of CRL does not match CRL issuer of distribution point.");
        }
    }
    else
    {
        if (CertPathValidatorUtilities.getIssuerPrincipal(crl).equals(
            CertPathValidatorUtilities.getEncodedIssuerPrincipal(cert)))
        {
            matchIssuer = true;
        }
    }
    if (!matchIssuer)
    {
        throw new AnnotatedException("Cannot find matching CRL issuer for certificate.");
    }
}
 
Example 46
Project: bc-java   File: RFC3280CertPathUtilities.java   Source Code and License 4 votes vote down vote up
/**
 * If the DP includes cRLIssuer, then verify that the issuer field in the
 * complete CRL matches cRLIssuer in the DP and that the complete CRL
 * contains an issuing distribution point extension with the indirectCRL
 * boolean asserted. Otherwise, verify that the CRL issuer matches the
 * certificate issuer.
 *
 * @param dp   The distribution point.
 * @param cert The certificate ot attribute certificate.
 * @param crl  The CRL for <code>cert</code>.
 * @throws AnnotatedException if one of the above conditions does not apply or an error
 *                            occurs.
 */
protected static void processCRLB1(
    DistributionPoint dp,
    Object cert,
    X509CRL crl)
    throws AnnotatedException
{
    ASN1Primitive idp = CertPathValidatorUtilities.getExtensionValue(crl, ISSUING_DISTRIBUTION_POINT);
    boolean isIndirect = false;
    if (idp != null)
    {
        if (IssuingDistributionPoint.getInstance(idp).isIndirectCRL())
        {
            isIndirect = true;
        }
    }
    byte[] issuerBytes = CertPathValidatorUtilities.getIssuerPrincipal(crl).getEncoded();

    boolean matchIssuer = false;
    if (dp.getCRLIssuer() != null)
    {
        GeneralName genNames[] = dp.getCRLIssuer().getNames();
        for (int j = 0; j < genNames.length; j++)
        {
            if (genNames[j].getTagNo() == GeneralName.directoryName)
            {
                try
                {
                    if (Arrays.areEqual(genNames[j].getName().toASN1Primitive().getEncoded(), issuerBytes))
                    {
                        matchIssuer = true;
                    }
                }
                catch (IOException e)
                {
                    throw new AnnotatedException(
                        "CRL issuer information from distribution point cannot be decoded.", e);
                }
            }
        }
        if (matchIssuer && !isIndirect)
        {
            throw new AnnotatedException("Distribution point contains cRLIssuer field but CRL is not indirect.");
        }
        if (!matchIssuer)
        {
            throw new AnnotatedException("CRL issuer of CRL does not match CRL issuer of distribution point.");
        }
    }
    else
    {
        if (CertPathValidatorUtilities.getIssuerPrincipal(crl).equals(
            CertPathValidatorUtilities.getEncodedIssuerPrincipal(cert)))
        {
            matchIssuer = true;
        }
    }
    if (!matchIssuer)
    {
        throw new AnnotatedException("Cannot find matching CRL issuer for certificate.");
    }
}
 
Example 47
Project: bc-java   File: RFC3280CertPathUtilities.java   Source Code and License 4 votes vote down vote up
/**
 * If the DP includes cRLIssuer, then verify that the issuer field in the
 * complete CRL matches cRLIssuer in the DP and that the complete CRL
 * contains an issuing distribution point extension with the indirectCRL
 * boolean asserted. Otherwise, verify that the CRL issuer matches the
 * certificate issuer.
 *
 * @param dp   The distribution point.
 * @param cert The certificate ot attribute certificate.
 * @param crl  The CRL for <code>cert</code>.
 * @throws AnnotatedException if one of the above conditions does not apply or an error
 *                            occurs.
 */
protected static void processCRLB1(
    DistributionPoint dp,
    Object cert,
    X509CRL crl)
    throws AnnotatedException
{
    ASN1Primitive idp = CertPathValidatorUtilities.getExtensionValue(crl, ISSUING_DISTRIBUTION_POINT);
    boolean isIndirect = false;
    if (idp != null)
    {
        if (IssuingDistributionPoint.getInstance(idp).isIndirectCRL())
        {
            isIndirect = true;
        }
    }
    byte[] issuerBytes = CertPathValidatorUtilities.getIssuerPrincipal(crl).getEncoded();

    boolean matchIssuer = false;
    if (dp.getCRLIssuer() != null)
    {
        GeneralName genNames[] = dp.getCRLIssuer().getNames();
        for (int j = 0; j < genNames.length; j++)
        {
            if (genNames[j].getTagNo() == GeneralName.directoryName)
            {
                try
                {
                    if (Arrays.areEqual(genNames[j].getName().toASN1Primitive().getEncoded(), issuerBytes))
                    {
                        matchIssuer = true;
                    }
                }
                catch (IOException e)
                {
                    throw new AnnotatedException(
                        "CRL issuer information from distribution point cannot be decoded.", e);
                }
            }
        }
        if (matchIssuer && !isIndirect)
        {
            throw new AnnotatedException("Distribution point contains cRLIssuer field but CRL is not indirect.");
        }
        if (!matchIssuer)
        {
            throw new AnnotatedException("CRL issuer of CRL does not match CRL issuer of distribution point.");
        }
    }
    else
    {
        if (CertPathValidatorUtilities.getIssuerPrincipal(crl).equals(
            CertPathValidatorUtilities.getEncodedIssuerPrincipal(cert)))
        {
            matchIssuer = true;
        }
    }
    if (!matchIssuer)
    {
        throw new AnnotatedException("Cannot find matching CRL issuer for certificate.");
    }
}
 
Example 48
Project: irma_future_id   File: CertTest.java   Source Code and License 2 votes vote down vote up
private void testIndirect()
    throws Exception
{
    KeyStore keyStore = KeyStore.getInstance("PKCS12", "BC");

    ByteArrayInputStream input = new ByteArrayInputStream(testCAp12);

    keyStore.load(input, "test".toCharArray());

    X509Certificate certificate = (X509Certificate) keyStore.getCertificate("ca");
    PrivateKey privateKey = (PrivateKey) keyStore.getKey("ca", null);

    X500Name crlIssuer = X500Name.getInstance(certificate.getSubjectX500Principal().getEncoded());
    X500Name caName = X500Name.getInstance(certificate.getIssuerX500Principal().getEncoded());

    X509v2CRLBuilder builder = new X509v2CRLBuilder(crlIssuer, new Date());

    builder.addExtension(Extension.issuingDistributionPoint, true, new IssuingDistributionPoint(null, true, false));

    ExtensionsGenerator extGen = new ExtensionsGenerator();

    extGen.addExtension(Extension.reasonCode, false, CRLReason.lookup(CRLReason.cACompromise));
    extGen.addExtension(Extension.certificateIssuer, true, new GeneralNames(new GeneralName(caName)));

    builder.addCRLEntry(certificate.getSerialNumber(), new Date(), extGen.generate());

    JcaContentSignerBuilder contentSignerBuilder = new JcaContentSignerBuilder("SHA256WithRSAEncryption");

    contentSignerBuilder.setProvider("BC");

    X509CRLHolder cRLHolder = builder.build(contentSignerBuilder.build(privateKey));

    if (!cRLHolder.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider("BC").build(certificate)))
    {
        fail("CRL signature not valid");
    }

    X509CRLEntryHolder cRLEntryHolder = cRLHolder.getRevokedCertificate(certificate.getSerialNumber());

    if (!cRLEntryHolder.getCertificateIssuer().equals(new GeneralNames(new GeneralName(X500Name.getInstance(certificate.getIssuerX500Principal().getEncoded())))))
    {
        fail("certificate issuer incorrect");
    }

    JcaX509CRLConverter converter = new JcaX509CRLConverter();

    converter.setProvider("BC");

    X509CRL crl = converter.getCRL(cRLHolder);

    crl.verify(certificate.getPublicKey());

    if (!crl.isRevoked(certificate))
    {
        fail("Certificate should be revoked");
    }

    // now encode the CRL and load the CRL with the JCE provider

    CertificateFactory fac = CertificateFactory.getInstance("X.509");

    X509CRL jceCRL = (X509CRL) fac.generateCRL(new ByteArrayInputStream(crl.getEncoded()));

    jceCRL.verify(certificate.getPublicKey());

    if (!jceCRL.isRevoked(certificate))
    {
        fail("This certificate should also be revoked");
    }
}
 
Example 49
Project: irma_future_id   File: CertTest.java   Source Code and License 2 votes vote down vote up
private void testIndirect()
    throws Exception
{
    KeyStore keyStore = KeyStore.getInstance("PKCS12", "BC");

    ByteArrayInputStream input = new ByteArrayInputStream(testCAp12);

    keyStore.load(input, "test".toCharArray());

    X509Certificate certificate = (X509Certificate) keyStore.getCertificate("ca");
    PrivateKey privateKey = (PrivateKey) keyStore.getKey("ca", null);

    X500Name crlIssuer = X500Name.getInstance(PrincipalUtil.getSubjectX509Principal(certificate).getEncoded());
    X500Name caName = X500Name.getInstance(PrincipalUtil.getIssuerX509Principal(certificate).getEncoded());

    X509v2CRLBuilder builder = new X509v2CRLBuilder(crlIssuer, new Date());

    builder.addExtension(Extension.issuingDistributionPoint, true, new IssuingDistributionPoint(null, true, false));

    ExtensionsGenerator extGen = new ExtensionsGenerator();

    extGen.addExtension(Extension.reasonCode, false, CRLReason.lookup(CRLReason.cACompromise));
    extGen.addExtension(Extension.certificateIssuer, true, new GeneralNames(new GeneralName(caName)));

    builder.addCRLEntry(certificate.getSerialNumber(), new Date(), extGen.generate());

    JcaContentSignerBuilder contentSignerBuilder = new JcaContentSignerBuilder("SHA256WithRSAEncryption");

    contentSignerBuilder.setProvider("BC");

    X509CRLHolder cRLHolder = builder.build(contentSignerBuilder.build(privateKey));

    JcaX509CRLConverter converter = new JcaX509CRLConverter();

    converter.setProvider("BC");

    X509CRL crl = converter.getCRL(cRLHolder);

    crl.verify(certificate.getPublicKey());

    if (!crl.isRevoked(certificate))
    {
        fail("Certificate should be revoked");
    }

    // now encode the CRL and load the CRL with the JCE provider

    CertificateFactory fac = CertificateFactory.getInstance("X.509");

    X509CRL jceCRL = (X509CRL) fac.generateCRL(new ByteArrayInputStream(crl.getEncoded()));

    jceCRL.verify(certificate.getPublicKey());

    if (!jceCRL.isRevoked(certificate))
    {
        fail("This certificate should also be revoked");
    }
}
 
Example 50
Project: irma_future_id   File: CertTest.java   Source Code and License 2 votes vote down vote up
private void testIndirect()
    throws Exception
{
    KeyStore keyStore = KeyStore.getInstance("PKCS12", "BC");

    ByteArrayInputStream input = new ByteArrayInputStream(testCAp12);

    keyStore.load(input, "test".toCharArray());

    X509Certificate certificate = (X509Certificate) keyStore.getCertificate("ca");
    PrivateKey privateKey = (PrivateKey) keyStore.getKey("ca", null);

    X500Name crlIssuer = X500Name.getInstance(certificate.getSubjectX500Principal().getEncoded());
    X500Name caName = X500Name.getInstance(certificate.getIssuerX500Principal().getEncoded());

    X509v2CRLBuilder builder = new X509v2CRLBuilder(crlIssuer, new Date());

    builder.addExtension(Extension.issuingDistributionPoint, true, new IssuingDistributionPoint(null, true, false));

    ExtensionsGenerator extGen = new ExtensionsGenerator();

    extGen.addExtension(Extension.reasonCode, false, CRLReason.lookup(CRLReason.cACompromise));
    extGen.addExtension(Extension.certificateIssuer, true, new GeneralNames(new GeneralName(caName)));

    builder.addCRLEntry(certificate.getSerialNumber(), new Date(), extGen.generate());

    JcaContentSignerBuilder contentSignerBuilder = new JcaContentSignerBuilder("SHA256WithRSAEncryption");

    contentSignerBuilder.setProvider("BC");

    X509CRLHolder cRLHolder = builder.build(contentSignerBuilder.build(privateKey));

    if (!cRLHolder.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider("BC").build(certificate)))
    {
        fail("CRL signature not valid");
    }

    X509CRLEntryHolder cRLEntryHolder = cRLHolder.getRevokedCertificate(certificate.getSerialNumber());

    if (!cRLEntryHolder.getCertificateIssuer().equals(new GeneralNames(new GeneralName(X500Name.getInstance(certificate.getIssuerX500Principal().getEncoded())))))
    {
        fail("certificate issuer incorrect");
    }

    JcaX509CRLConverter converter = new JcaX509CRLConverter();

    converter.setProvider("BC");

    X509CRL crl = converter.getCRL(cRLHolder);

    crl.verify(certificate.getPublicKey());

    if (!crl.isRevoked(certificate))
    {
        fail("Certificate should be revoked");
    }

    // now encode the CRL and load the CRL with the JCE provider

    CertificateFactory fac = CertificateFactory.getInstance("X.509");

    X509CRL jceCRL = (X509CRL) fac.generateCRL(new ByteArrayInputStream(crl.getEncoded()));

    jceCRL.verify(certificate.getPublicKey());

    if (!jceCRL.isRevoked(certificate))
    {
        fail("This certificate should also be revoked");
    }
}
 
Example 51
Project: irma_future_id   File: CertTest.java   Source Code and License 2 votes vote down vote up
private void testIndirect2()
    throws Exception
{
    KeyStore keyStore = KeyStore.getInstance("PKCS12", "BC");

    ByteArrayInputStream input = new ByteArrayInputStream(testCAp12);

    keyStore.load(input, "test".toCharArray());

    X509Certificate certificate = (X509Certificate) keyStore.getCertificate("ca");
    PrivateKey privateKey = (PrivateKey) keyStore.getKey("ca", null);

    X500Name crlIssuer = X500Name.getInstance(certificate.getSubjectX500Principal().getEncoded());
    X500Name caName = X500Name.getInstance(certificate.getIssuerX500Principal().getEncoded());

    X509v2CRLBuilder builder = new X509v2CRLBuilder(crlIssuer, new Date());

    builder.addExtension(Extension.issuingDistributionPoint, true, new IssuingDistributionPoint(null, true, false));

    builder.addCRLEntry(BigInteger.valueOf(100), new Date(), CRLReason.cACompromise);
    builder.addCRLEntry(BigInteger.valueOf(120), new Date(), CRLReason.cACompromise);

    ExtensionsGenerator extGen = new ExtensionsGenerator();

    extGen.addExtension(Extension.reasonCode, false, CRLReason.lookup(CRLReason.cACompromise));
    extGen.addExtension(Extension.certificateIssuer, true, new GeneralNames(new GeneralName(caName)));

    builder.addCRLEntry(certificate.getSerialNumber(), new Date(), extGen.generate());

    builder.addCRLEntry(BigInteger.valueOf(130), new Date(), CRLReason.cACompromise);

    JcaContentSignerBuilder contentSignerBuilder = new JcaContentSignerBuilder("SHA256WithRSAEncryption");

    contentSignerBuilder.setProvider("BC");

    X509CRLHolder cRLHolder = builder.build(contentSignerBuilder.build(privateKey));

    if (!cRLHolder.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider("BC").build(certificate)))
    {
        fail("CRL signature not valid");
    }

    X509CRLEntryHolder cRLEntryHolder = cRLHolder.getRevokedCertificate(certificate.getSerialNumber());

    if (!cRLEntryHolder.getCertificateIssuer().equals(new GeneralNames(new GeneralName(caName))))
    {
        fail("certificate issuer incorrect");
    }

    cRLEntryHolder = cRLHolder.getRevokedCertificate(BigInteger.valueOf(130));

    if (!cRLEntryHolder.getCertificateIssuer().equals(new GeneralNames(new GeneralName(caName))))
    {
        fail("certificate issuer incorrect");
    }

    cRLEntryHolder = cRLHolder.getRevokedCertificate(BigInteger.valueOf(100));

    if (!cRLEntryHolder.getCertificateIssuer().equals(new GeneralNames(new GeneralName(cRLHolder.getIssuer()))))
    {
        fail("certificate issuer incorrect");
    }

    JcaX509CRLConverter converter = new JcaX509CRLConverter();

    converter.setProvider("BC");

    X509CRL crl = converter.getCRL(cRLHolder);

    crl.verify(certificate.getPublicKey());
}
 
Example 52
Project: irma_future_id   File: CertTest.java   Source Code and License 2 votes vote down vote up
private void testIndirect()
    throws Exception
{
    KeyStore keyStore = KeyStore.getInstance("PKCS12", "BC");

    ByteArrayInputStream input = new ByteArrayInputStream(testCAp12);

    keyStore.load(input, "test".toCharArray());

    X509Certificate certificate = (X509Certificate) keyStore.getCertificate("ca");
    PrivateKey privateKey = (PrivateKey) keyStore.getKey("ca", null);

    X500Name crlIssuer = X500Name.getInstance(PrincipalUtil.getSubjectX509Principal(certificate).getEncoded());
    X500Name caName = X500Name.getInstance(PrincipalUtil.getIssuerX509Principal(certificate).getEncoded());

    X509v2CRLBuilder builder = new X509v2CRLBuilder(crlIssuer, new Date());

    builder.addExtension(Extension.issuingDistributionPoint, true, new IssuingDistributionPoint(null, true, false));

    ExtensionsGenerator extGen = new ExtensionsGenerator();

    extGen.addExtension(Extension.reasonCode, false, CRLReason.lookup(CRLReason.cACompromise));
    extGen.addExtension(Extension.certificateIssuer, true, new GeneralNames(new GeneralName(caName)));

    builder.addCRLEntry(certificate.getSerialNumber(), new Date(), extGen.generate());

    JcaContentSignerBuilder contentSignerBuilder = new JcaContentSignerBuilder("SHA256WithRSAEncryption");

    contentSignerBuilder.setProvider("BC");

    X509CRLHolder cRLHolder = builder.build(contentSignerBuilder.build(privateKey));

    JcaX509CRLConverter converter = new JcaX509CRLConverter();

    converter.setProvider("BC");

    X509CRL crl = converter.getCRL(cRLHolder);

    crl.verify(certificate.getPublicKey());

    if (!crl.isRevoked(certificate))
    {
        fail("Certificate should be revoked");
    }

    // now encode the CRL and load the CRL with the JCE provider

    CertificateFactory fac = CertificateFactory.getInstance("X.509");

    X509CRL jceCRL = (X509CRL) fac.generateCRL(new ByteArrayInputStream(crl.getEncoded()));

    jceCRL.verify(certificate.getPublicKey());

    if (!jceCRL.isRevoked(certificate))
    {
        fail("This certificate should also be revoked");
    }
}
 
Example 53
Project: bc-java   File: CertTest.java   Source Code and License 2 votes vote down vote up
private void testIndirect()
    throws Exception
{
    KeyStore keyStore = KeyStore.getInstance("PKCS12", "BC");

    ByteArrayInputStream input = new ByteArrayInputStream(testCAp12);

    keyStore.load(input, "test".toCharArray());

    X509Certificate certificate = (X509Certificate) keyStore.getCertificate("ca");
    PrivateKey privateKey = (PrivateKey) keyStore.getKey("ca", null);

    X500Name crlIssuer = X500Name.getInstance(certificate.getSubjectX500Principal().getEncoded());
    X500Name caName = X500Name.getInstance(certificate.getIssuerX500Principal().getEncoded());

    X509v2CRLBuilder builder = new X509v2CRLBuilder(crlIssuer, new Date());

    builder.addExtension(Extension.issuingDistributionPoint, true, new IssuingDistributionPoint(null, true, false));

    ExtensionsGenerator extGen = new ExtensionsGenerator();

    extGen.addExtension(Extension.reasonCode, false, CRLReason.lookup(CRLReason.cACompromise));
    extGen.addExtension(Extension.certificateIssuer, true, new GeneralNames(new GeneralName(caName)));

    builder.addCRLEntry(certificate.getSerialNumber(), new Date(), extGen.generate());

    JcaContentSignerBuilder contentSignerBuilder = new JcaContentSignerBuilder("SHA256WithRSAEncryption");

    contentSignerBuilder.setProvider("BC");

    X509CRLHolder cRLHolder = builder.build(contentSignerBuilder.build(privateKey));

    if (!cRLHolder.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider("BC").build(certificate)))
    {
        fail("CRL signature not valid");
    }

    X509CRLEntryHolder cRLEntryHolder = cRLHolder.getRevokedCertificate(certificate.getSerialNumber());

    if (!cRLEntryHolder.getCertificateIssuer().equals(new GeneralNames(new GeneralName(X500Name.getInstance(certificate.getIssuerX500Principal().getEncoded())))))
    {
        fail("certificate issuer incorrect");
    }

    JcaX509CRLConverter converter = new JcaX509CRLConverter();

    converter.setProvider("BC");

    X509CRL crl = converter.getCRL(cRLHolder);

    crl.verify(certificate.getPublicKey());

    if (!crl.isRevoked(certificate))
    {
        fail("Certificate should be revoked");
    }

    // now encode the CRL and load the CRL with the JCE provider

    CertificateFactory fac = CertificateFactory.getInstance("X.509");

    X509CRL jceCRL = (X509CRL) fac.generateCRL(new ByteArrayInputStream(crl.getEncoded()));

    jceCRL.verify(certificate.getPublicKey());

    if (!jceCRL.isRevoked(certificate))
    {
        fail("This certificate should also be revoked");
    }
}
 
Example 54
Project: bc-java   File: CertTest.java   Source Code and License 2 votes vote down vote up
private void testIndirect()
    throws Exception
{
    KeyStore keyStore = KeyStore.getInstance("PKCS12", "BC");

    ByteArrayInputStream input = new ByteArrayInputStream(testCAp12);

    keyStore.load(input, "test".toCharArray());

    X509Certificate certificate = (X509Certificate) keyStore.getCertificate("ca");
    PrivateKey privateKey = (PrivateKey) keyStore.getKey("ca", null);

    X500Name crlIssuer = X500Name.getInstance(PrincipalUtil.getSubjectX509Principal(certificate).getEncoded());
    X500Name caName = X500Name.getInstance(PrincipalUtil.getIssuerX509Principal(certificate).getEncoded());

    X509v2CRLBuilder builder = new X509v2CRLBuilder(crlIssuer, new Date());

    builder.addExtension(Extension.issuingDistributionPoint, true, new IssuingDistributionPoint(null, true, false));

    ExtensionsGenerator extGen = new ExtensionsGenerator();

    extGen.addExtension(Extension.reasonCode, false, CRLReason.lookup(CRLReason.cACompromise));
    extGen.addExtension(Extension.certificateIssuer, true, new GeneralNames(new GeneralName(caName)));

    builder.addCRLEntry(certificate.getSerialNumber(), new Date(), extGen.generate());

    JcaContentSignerBuilder contentSignerBuilder = new JcaContentSignerBuilder("SHA256WithRSAEncryption");

    contentSignerBuilder.setProvider("BC");

    X509CRLHolder cRLHolder = builder.build(contentSignerBuilder.build(privateKey));

    JcaX509CRLConverter converter = new JcaX509CRLConverter();

    converter.setProvider("BC");

    X509CRL crl = converter.getCRL(cRLHolder);

    crl.verify(certificate.getPublicKey());

    if (!crl.isRevoked(certificate))
    {
        fail("Certificate should be revoked");
    }

    // now encode the CRL and load the CRL with the JCE provider

    CertificateFactory fac = CertificateFactory.getInstance("X.509");

    X509CRL jceCRL = (X509CRL) fac.generateCRL(new ByteArrayInputStream(crl.getEncoded()));

    jceCRL.verify(certificate.getPublicKey());

    if (!jceCRL.isRevoked(certificate))
    {
        fail("This certificate should also be revoked");
    }
}
 
Example 55
Project: bc-java   File: CertTest.java   Source Code and License 2 votes vote down vote up
private void testIndirect()
    throws Exception
{
    KeyStore keyStore = KeyStore.getInstance("PKCS12", "BC");

    ByteArrayInputStream input = new ByteArrayInputStream(testCAp12);

    keyStore.load(input, "test".toCharArray());

    X509Certificate certificate = (X509Certificate) keyStore.getCertificate("ca");
    PrivateKey privateKey = (PrivateKey) keyStore.getKey("ca", null);

    X500Name crlIssuer = X500Name.getInstance(certificate.getSubjectX500Principal().getEncoded());
    X500Name caName = X500Name.getInstance(certificate.getIssuerX500Principal().getEncoded());

    X509v2CRLBuilder builder = new X509v2CRLBuilder(crlIssuer, new Date());

    builder.addExtension(Extension.issuingDistributionPoint, true, new IssuingDistributionPoint(null, true, false));

    ExtensionsGenerator extGen = new ExtensionsGenerator();

    extGen.addExtension(Extension.reasonCode, false, CRLReason.lookup(CRLReason.cACompromise));
    extGen.addExtension(Extension.certificateIssuer, true, new GeneralNames(new GeneralName(caName)));

    builder.addCRLEntry(certificate.getSerialNumber(), new Date(), extGen.generate());

    JcaContentSignerBuilder contentSignerBuilder = new JcaContentSignerBuilder("SHA256WithRSAEncryption");

    contentSignerBuilder.setProvider("BC");

    X509CRLHolder cRLHolder = builder.build(contentSignerBuilder.build(privateKey));

    if (!cRLHolder.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider("BC").build(certificate)))
    {
        fail("CRL signature not valid");
    }

    X509CRLEntryHolder cRLEntryHolder = cRLHolder.getRevokedCertificate(certificate.getSerialNumber());

    if (!cRLEntryHolder.getCertificateIssuer().equals(new GeneralNames(new GeneralName(X500Name.getInstance(certificate.getIssuerX500Principal().getEncoded())))))
    {
        fail("certificate issuer incorrect");
    }

    JcaX509CRLConverter converter = new JcaX509CRLConverter();

    converter.setProvider("BC");

    X509CRL crl = converter.getCRL(cRLHolder);

    crl.verify(certificate.getPublicKey());

    if (!crl.isRevoked(certificate))
    {
        fail("Certificate should be revoked");
    }

    // now encode the CRL and load the CRL with the JCE provider

    CertificateFactory fac = CertificateFactory.getInstance("X.509");

    X509CRL jceCRL = (X509CRL) fac.generateCRL(new ByteArrayInputStream(crl.getEncoded()));

    jceCRL.verify(certificate.getPublicKey());

    if (!jceCRL.isRevoked(certificate))
    {
        fail("This certificate should also be revoked");
    }
}
 
Example 56
Project: bc-java   File: CertTest.java   Source Code and License 2 votes vote down vote up
private void testIndirect2()
    throws Exception
{
    KeyStore keyStore = KeyStore.getInstance("PKCS12", "BC");

    ByteArrayInputStream input = new ByteArrayInputStream(testCAp12);

    keyStore.load(input, "test".toCharArray());

    X509Certificate certificate = (X509Certificate) keyStore.getCertificate("ca");
    PrivateKey privateKey = (PrivateKey) keyStore.getKey("ca", null);

    X500Name crlIssuer = X500Name.getInstance(certificate.getSubjectX500Principal().getEncoded());
    X500Name caName = X500Name.getInstance(certificate.getIssuerX500Principal().getEncoded());

    X509v2CRLBuilder builder = new X509v2CRLBuilder(crlIssuer, new Date());

    builder.addExtension(Extension.issuingDistributionPoint, true, new IssuingDistributionPoint(null, true, false));

    builder.addCRLEntry(BigInteger.valueOf(100), new Date(), CRLReason.cACompromise);
    builder.addCRLEntry(BigInteger.valueOf(120), new Date(), CRLReason.cACompromise);

    ExtensionsGenerator extGen = new ExtensionsGenerator();

    extGen.addExtension(Extension.reasonCode, false, CRLReason.lookup(CRLReason.cACompromise));
    extGen.addExtension(Extension.certificateIssuer, true, new GeneralNames(new GeneralName(caName)));

    builder.addCRLEntry(certificate.getSerialNumber(), new Date(), extGen.generate());

    builder.addCRLEntry(BigInteger.valueOf(130), new Date(), CRLReason.cACompromise);

    JcaContentSignerBuilder contentSignerBuilder = new JcaContentSignerBuilder("SHA256WithRSAEncryption");

    contentSignerBuilder.setProvider("BC");

    X509CRLHolder cRLHolder = builder.build(contentSignerBuilder.build(privateKey));

    if (!cRLHolder.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider("BC").build(certificate)))
    {
        fail("CRL signature not valid");
    }

    X509CRLEntryHolder cRLEntryHolder = cRLHolder.getRevokedCertificate(certificate.getSerialNumber());

    if (!cRLEntryHolder.getCertificateIssuer().equals(new GeneralNames(new GeneralName(caName))))
    {
        fail("certificate issuer incorrect");
    }

    cRLEntryHolder = cRLHolder.getRevokedCertificate(BigInteger.valueOf(130));

    if (!cRLEntryHolder.getCertificateIssuer().equals(new GeneralNames(new GeneralName(caName))))
    {
        fail("certificate issuer incorrect");
    }

    cRLEntryHolder = cRLHolder.getRevokedCertificate(BigInteger.valueOf(100));

    if (!cRLEntryHolder.getCertificateIssuer().equals(new GeneralNames(new GeneralName(cRLHolder.getIssuer()))))
    {
        fail("certificate issuer incorrect");
    }

    JcaX509CRLConverter converter = new JcaX509CRLConverter();

    converter.setProvider("BC");

    X509CRL crl = converter.getCRL(cRLHolder);

    crl.verify(certificate.getPublicKey());
}
 
Example 57
Project: bc-java   File: CertTest.java   Source Code and License 2 votes vote down vote up
private void testIndirect()
    throws Exception
{
    KeyStore keyStore = KeyStore.getInstance("PKCS12", "BC");

    ByteArrayInputStream input = new ByteArrayInputStream(testCAp12);

    keyStore.load(input, "test".toCharArray());

    X509Certificate certificate = (X509Certificate) keyStore.getCertificate("ca");
    PrivateKey privateKey = (PrivateKey) keyStore.getKey("ca", null);

    X500Name crlIssuer = X500Name.getInstance(PrincipalUtil.getSubjectX509Principal(certificate).getEncoded());
    X500Name caName = X500Name.getInstance(PrincipalUtil.getIssuerX509Principal(certificate).getEncoded());

    X509v2CRLBuilder builder = new X509v2CRLBuilder(crlIssuer, new Date());

    builder.addExtension(Extension.issuingDistributionPoint, true, new IssuingDistributionPoint(null, true, false));

    ExtensionsGenerator extGen = new ExtensionsGenerator();

    extGen.addExtension(Extension.reasonCode, false, CRLReason.lookup(CRLReason.cACompromise));
    extGen.addExtension(Extension.certificateIssuer, true, new GeneralNames(new GeneralName(caName)));

    builder.addCRLEntry(certificate.getSerialNumber(), new Date(), extGen.generate());

    JcaContentSignerBuilder contentSignerBuilder = new JcaContentSignerBuilder("SHA256WithRSAEncryption");

    contentSignerBuilder.setProvider("BC");

    X509CRLHolder cRLHolder = builder.build(contentSignerBuilder.build(privateKey));

    JcaX509CRLConverter converter = new JcaX509CRLConverter();

    converter.setProvider("BC");

    X509CRL crl = converter.getCRL(cRLHolder);

    crl.verify(certificate.getPublicKey());

    if (!crl.isRevoked(certificate))
    {
        fail("Certificate should be revoked");
    }

    // now encode the CRL and load the CRL with the JCE provider

    CertificateFactory fac = CertificateFactory.getInstance("X.509");

    X509CRL jceCRL = (X509CRL) fac.generateCRL(new ByteArrayInputStream(crl.getEncoded()));

    jceCRL.verify(certificate.getPublicKey());

    if (!jceCRL.isRevoked(certificate))
    {
        fail("This certificate should also be revoked");
    }
}