/** * generate an X509 certificate, based on the current issuer and subject * using the passed in provider for the signing. */ public X509CRL generate( PrivateKey key, String provider) throws CRLException, IllegalStateException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, InvalidKeyException { return generate(key, provider, null); }
/** * generate an X509 CRL, based on the current issuer and subject * using the default provider. * <p> * <b>Note:</b> this differs from the deprecated method in that the default provider is * used - not "BC". * </p> */ public X509CRL generate( PrivateKey key) throws CRLException, IllegalStateException, NoSuchAlgorithmException, SignatureException, InvalidKeyException { return generate(key, (SecureRandom)null); }
return generate(key, provider, random);
@Override public X509CRL generateX509CRL( X509Certificate caCertificate, PrivateKey caPrivateKey ) { try { X509V2CRLGenerator crlGen = new X509V2CRLGenerator(); crlGen.setIssuerDN( caCertificate.getSubjectX500Principal() ); crlGen.setThisUpdate( new DateTime().minus( Time.CLOCK_SKEW ).toDate() ); crlGen.setNextUpdate( new DateTime().minus( Time.CLOCK_SKEW ).plusHours( 12 ).toDate() ); crlGen.setSignatureAlgorithm( SignatureAlgorithm.SHA256withRSA.jcaString() ); crlGen.addExtension( X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure( caCertificate ) ); crlGen.addExtension( X509Extensions.CRLNumber, false, new CRLNumber( BigInteger.ONE ) ); return crlGen.generate( caPrivateKey, BouncyCastleProvider.PROVIDER_NAME ); } catch ( GeneralSecurityException ex ) { throw new CryptoFailure( "Unable to generate CRL", ex ); } }
@Override public X509CRL updateX509CRL( X509Certificate caCertificate, PrivateKey caPrivateKey, X509Certificate revokedCertificate, RevocationReason reason, X509CRL previousCRL, BigInteger lastCRLNumber ) { try { X509V2CRLGenerator crlGen = new X509V2CRLGenerator(); crlGen.setIssuerDN( caCertificate.getSubjectX500Principal() ); DateTime skewedNow = new DateTime().minus( Time.CLOCK_SKEW ); crlGen.setThisUpdate( skewedNow.toDate() ); crlGen.setNextUpdate( skewedNow.plusHours( 12 ).toDate() ); crlGen.setSignatureAlgorithm( SignatureAlgorithm.SHA256withRSA.jcaString() ); crlGen.addExtension( X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure( caCertificate ) ); crlGen.addExtension( X509Extensions.CRLNumber, false, new CRLNumber( lastCRLNumber ) ); crlGen.addCRL( previousCRL ); crlGen.addCRLEntry( revokedCertificate.getSerialNumber(), skewedNow.toDate(), reason.reason() ); return crlGen.generate( caPrivateKey, BouncyCastleProvider.PROVIDER_NAME ); } catch ( GeneralSecurityException ex ) { throw new CryptoFailure( "Unable to update CRL", ex ); } }