@Override public X509CRL generateX509CRL( X509Certificate caCertificate, PrivateKey caPrivateKey ) { try { X509V2CRLGenerator crlGen = new X509V2CRLGenerator(); crlGen.setIssuerDN( caCertificate.getSubjectX500Principal() ); crlGen.setThisUpdate( new DateTime().minus( Time.CLOCK_SKEW ).toDate() ); crlGen.setNextUpdate( new DateTime().minus( Time.CLOCK_SKEW ).plusHours( 12 ).toDate() ); crlGen.setSignatureAlgorithm( SignatureAlgorithm.SHA256withRSA.jcaString() ); crlGen.addExtension( X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure( caCertificate ) ); crlGen.addExtension( X509Extensions.CRLNumber, false, new CRLNumber( BigInteger.ONE ) ); return crlGen.generate( caPrivateKey, BouncyCastleProvider.PROVIDER_NAME ); } catch ( GeneralSecurityException ex ) { throw new CryptoFailure( "Unable to generate CRL", ex ); } }
@Override public X509CRL updateX509CRL( X509Certificate caCertificate, PrivateKey caPrivateKey, X509Certificate revokedCertificate, RevocationReason reason, X509CRL previousCRL, BigInteger lastCRLNumber ) { try { X509V2CRLGenerator crlGen = new X509V2CRLGenerator(); crlGen.setIssuerDN( caCertificate.getSubjectX500Principal() ); DateTime skewedNow = new DateTime().minus( Time.CLOCK_SKEW ); crlGen.setThisUpdate( skewedNow.toDate() ); crlGen.setNextUpdate( skewedNow.plusHours( 12 ).toDate() ); crlGen.setSignatureAlgorithm( SignatureAlgorithm.SHA256withRSA.jcaString() ); crlGen.addExtension( X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure( caCertificate ) ); crlGen.addExtension( X509Extensions.CRLNumber, false, new CRLNumber( lastCRLNumber ) ); crlGen.addCRL( previousCRL ); crlGen.addCRLEntry( revokedCertificate.getSerialNumber(), skewedNow.toDate(), reason.reason() ); return crlGen.generate( caPrivateKey, BouncyCastleProvider.PROVIDER_NAME ); } catch ( GeneralSecurityException ex ) { throw new CryptoFailure( "Unable to update CRL", ex ); } }