/** * Returns the hashcode of this CRL instance. * * @return the hashcode. */ public int hashCode() { try { int res = 0; byte[] array = getEncoded(); for (int i=0; i<array.length; i++) { res += array[i] & 0xFF; } return res; } catch (CRLException e) { return 0; } }
crlist.getIssuerX500Principal().getName( X500Principal.CANONICAL)))) { return false; byte[] bytes = crlist.getExtensionValue("2.5.29.20"); bytes = (byte[]) ASN1OctetString.getInstance().decode(bytes); BigInteger crlNumber = new BigInteger((byte[]) ASN1Integer.getInstance().decode(bytes)); if ((minCRL != null) && (crlNumber.compareTo(minCRL) < 0)) { return false; if ((maxCRL != null) && (crlNumber.compareTo(maxCRL) > 0)) { return false; Date thisUp = crlist.getThisUpdate(); Date nextUp = crlist.getNextUpdate(); if ((thisUp == null) || (nextUp == null)) { return false; if ((dateAndTime < thisUp.getTime()) || (dateAndTime > nextUp.getTime())) { return false;
/** * Returns the CRL entry for the specified certificate. * * @param certificate * the certificate to search a CRL entry for. * @return the entry for the specified certificate, or {@code null} if not * found. */ public X509CRLEntry getRevokedCertificate(X509Certificate certificate) { if (certificate == null) { throw new NullPointerException("certificate == null"); } return getRevokedCertificate(certificate.getSerialNumber()); }
/** * Returns the issuer distinguished name of this CRL. * * @return the issuer distinguished name of this CRL. */ public X500Principal getIssuerX500Principal() { try { // TODO if there is no X.509 certificate provider installed // should we try to access Harmony X509CRLImpl via classForName? CertificateFactory factory = CertificateFactory .getInstance("X.509"); X509CRL crl = (X509CRL) factory .generateCRL(new ByteArrayInputStream(getEncoded())); return crl.getIssuerX500Principal(); } catch (Exception e) { throw new RuntimeException("Failed to get X500Principal issuer", e); } }
} catch (CRLException e) { throw new RuntimeException("CRL parse error: " + e.getMessage(), e); String issuerName = crl.getIssuerDN().getName().replace(",", ", "); crlIdentifier.setIssuer(issuerName); Calendar cal = Calendar.getInstance(TimeZone.getTimeZone("Z"), Locale.ROOT); cal.setTime(crl.getThisUpdate()); crlIdentifier.setIssueTime(cal); crlIdentifier.setNumber(getCrlNumber(crl)); EncapsulatedPKIDataType encapsulatedPKIDataType = certificateValues.addNewEncapsulatedX509Certificate(); try { encapsulatedPKIDataType.setByteArrayValue(certificate.getEncoded()); } catch (CertificateEncodingException e) { throw new RuntimeException("certificate encoding error: " + e.getMessage(), e);
/** * CRL has a validity period. We can reuse a downloaded CRL within that period. * thisUpdate - (the time indicating that the CA knows this status is correct), * nextUpdate - (the time that newer information will be available, * implying that this information is the most accurate to date) */ public boolean isValid() { Date today = new Date(); Date nextUpdate = crl.getNextUpdate(); return nextUpdate != null && nextUpdate.after(today); }
Args.notNull(crl, "crl"); byte[] encodedExtnValue = crl.getExtensionValue(Extension.cRLNumber.getId()); Long crlNumber = null; if (encodedExtnValue != null) { byte[] extnValue = DEROctetString.getInstance(encodedExtnValue).getOctets(); crlNumber = ASN1Integer.getInstance(extnValue).getPositiveValue().longValue(); encodedExtnValue = crl.getExtensionValue(Extension.deltaCRLIndicator.getId()); Long baseCrlNumber = null; if (encodedExtnValue != null) { byte[] extnValue = DEROctetString.getInstance(encodedExtnValue).getOctets(); baseCrlNumber = ASN1Integer.getInstance(extnValue).getPositiveValue().longValue(); String b64Crl = Base64.encodeToString(crl.getEncoded()); ps.setInt(idx++, ca.getId()); setLong(ps, idx++, crlNumber); Date date = crl.getThisUpdate(); ps.setLong(idx++, date.getTime() / 1000); setDateSeconds(ps, idx++, crl.getNextUpdate()); setBoolean(ps, idx++, (baseCrlNumber != null)); setLong(ps, idx++, baseCrlNumber);
crl_entry = crl.getRevokedCertificate(getSerialNumber(cert)); if (!getEncodedIssuerPrincipal(cert).equals(certIssuer)) else if (!getEncodedIssuerPrincipal(cert).equals(getIssuerPrincipal(crl))) crl_entry = crl.getRevokedCertificate(getSerialNumber(cert)); if (!(validDate.getTime() < crl_entry.getRevocationDate().getTime()) || reasonCode == null || reasonCode.getValue().intValue() == 0 || reasonCode.getValue().intValue() == 1 || reasonCode.getValue().intValue() == 2 || reasonCode.getValue().intValue() == 8)
.getIssuerPrincipal(completeCRL).getEncoded()); try idp = completeCRL.getExtensionValue(ISSUING_DISTRIBUTION_POINT); .add(BigInteger.valueOf(1)));
/** * Verifies a certificate against a single CRL. * @param crl the Certificate Revocation List * @param signCert a certificate that needs to be verified * @param issuerCert its issuer * @param signDate the sign date * @return true if the verification succeeded * @throws GeneralSecurityException */ public boolean verify(X509CRL crl, X509Certificate signCert, X509Certificate issuerCert, Date signDate) throws GeneralSecurityException { if (crl == null || signDate == null) return false; // We only check CRLs valid on the signing date for which the issuer matches if (crl.getIssuerX500Principal().equals(signCert.getIssuerX500Principal()) && signDate.after(crl.getThisUpdate()) && signDate.before(crl.getNextUpdate())) { // the signing certificate may not be revoked if (isSignatureValid(crl, issuerCert) && crl.isRevoked(signCert)) { throw new VerificationException(signCert, "The certificate has been revoked."); } return true; } return false; }
private boolean validateCRL(X509CRL x509crl, X509Certificate certificate, X509Certificate issuerCertificate, Date validationDate) { Principal subjectX500Principal = certificate.getSubjectX500Principal(); if (!x509crl.getIssuerX500Principal().equals(issuerCertificate.getSubjectX500Principal())) { log.error("The CRL must be signed by the issuer '" + subjectX500Principal + "' but instead is signed by '" + x509crl.getIssuerX500Principal() + "'"); return false; x509crl.verify(issuerCertificate.getPublicKey()); } catch (Exception ex) { log.error("The signature verification for CRL cannot be performed", ex); log.debug("CRL nextUpdate: " + x509crl.getThisUpdate()); log.debug("CRL thisUpdate: " + x509crl.getNextUpdate()); if (x509crl.getNextUpdate() != null && validationDate.after(x509crl.getNextUpdate())) { log.error("CRL is too old"); return false;
final Date thisUpdate = x509CRL.getThisUpdate(); if (!certificateToken.hasExpiredCertOnCRLExtension()) { if (thisUpdate.before(certificateToken.getNotBefore()) || thisUpdate.after(certificateToken.getNotAfter())) { if (bestX509UpdateDate == null || thisUpdate.after(bestX509UpdateDate)) {
if (!this.dnComparer.areEqual(crl.getIssuerX500Principal(), crlRef.issuerDN) || !crl.getThisUpdate().equals(crlRef.issueTime.getTime())) continue; if (crlNum != null && !crlRef.serialNumber.equals(crlNum)) continue; if (Arrays.equals(md.digest(crl.getEncoded()), crlRef.digestValue)) throw new CompleteRevocRefsReferenceException(crl, ex.getMessage());
if (certificate.getSubjectX500Principal().equals(crl.getIssuerX500Principal())) crl.verify(issuerCertificate.getPublicKey(), SecurityProvider.getProvider().getName()); CRLVerifier.checkRevocation(crl, certInfo.getCertificate(), signDate.getTime(), certInfo.getCrlUrl()); COSStream crlStream = writeDataToStream(crl.getEncoded()); crls.add(crlStream); if (correspondingCRLs != null) try signatureHash = MessageDigest.getInstance("SHA-1").digest(crl.getSignature()); foundRevocationInformation.add(certInfo.getCertificate().getSerialNumber());
for (X509Certificate possibleCert : mergedCertSet) if (crl.getIssuerX500Principal().equals(possibleCert.getSubjectX500Principal())) "Certificate for " + crl.getIssuerX500Principal() + "not found in certificate chain, so the CRL at " + crlDistributionPointsURL + " could not be verified"); crl.verify(crlIssuerCert.getPublicKey(), SecurityProvider.getProvider().getName()); if (!crl.getIssuerX500Principal().equals(cert.getIssuerX500Principal()))
private boolean isCrlInValidationDate(X509CRL crl, Date validationDate) { Date thisUpdate = crl.getThisUpdate(); LOG.debug("validation date: " + validationDate); LOG.debug("CRL this update: " + thisUpdate); if (thisUpdate.after(validationDate)) { LOG.warn("CRL too young"); return false; } LOG.debug("CRL next update: " + crl.getNextUpdate()); if (validationDate.after(crl.getNextUpdate())) { LOG.debug("CRL too old"); return false; } return true; } }
/** * Determines whether the given CRL is expired by comparing the nextUpdate field * with a given date. * * @param crl CRL to examine. * @param reference Reference date for comparison. * * @return True if reference date is after CRL next update, false otherwise. */ public static boolean isExpired(final X509CRL crl, final Date reference) { return reference.after(crl.getNextUpdate()); }
Date nextUpdate = now.plusYears(5).toDate(); X509v2CRLBuilder builder = new JcaX509v2CRLBuilder(crl.getIssuerX500Principal(), thisUpdate); builder.setNextUpdate(nextUpdate); crlNumber = (crlNumber == null) ? BigInteger.ZERO : crlNumber; builder.addExtension(Extension.cRLNumber, false, new CRLNumber(crlNumber.add(BigInteger.ONE))); builder.addExtension(Extension.authorityKeyIdentifier, false, new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(issuerPublicKey));
throws RevokedCertificateException X509CRLEntry revokedCRLEntry = crl.getRevokedCertificate(cert); if (revokedCRLEntry != null && revokedCRLEntry.getRevocationDate().compareTo(signDate) <= 0)
public static void verifyCertificateCRLs(X509Certificate cert) throws CertificateException { try { List<String> crlDistPoints = getCrlDistributionPoints(cert); for (String crlDP : crlDistPoints) { X509CRL crl = downloadCRL(crlDP); if (crl.isRevoked(cert)) { throw new CertificateException("The certificate is revoked by CRL: " + crlDP); } } } catch (Exception ex) { if (ex instanceof CertificateException) { throw (CertificateException) ex; } else { throw new CertificateException("Can not verify CRL for certificate: " + cert.getSubjectX500Principal()); } } }