diff options
Diffstat (limited to 'prov/src/main/java/org/spongycastle/x509/X509V2CRLGenerator.java')
| -rw-r--r-- | prov/src/main/java/org/spongycastle/x509/X509V2CRLGenerator.java | 450 |
1 files changed, 450 insertions, 0 deletions
diff --git a/prov/src/main/java/org/spongycastle/x509/X509V2CRLGenerator.java b/prov/src/main/java/org/spongycastle/x509/X509V2CRLGenerator.java new file mode 100644 index 00000000..457883e6 --- /dev/null +++ b/prov/src/main/java/org/spongycastle/x509/X509V2CRLGenerator.java @@ -0,0 +1,450 @@ +package org.spongycastle.x509; + +import java.io.IOException; +import java.math.BigInteger; +import java.security.GeneralSecurityException; +import java.security.InvalidKeyException; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.PrivateKey; +import java.security.SecureRandom; +import java.security.SignatureException; +import java.security.cert.CRLException; +import java.security.cert.X509CRL; +import java.security.cert.X509CRLEntry; +import java.util.Date; +import java.util.Iterator; +import java.util.Set; + +import javax.security.auth.x500.X500Principal; + +import org.spongycastle.asn1.ASN1Encodable; +import org.spongycastle.asn1.ASN1EncodableVector; +import org.spongycastle.asn1.ASN1GeneralizedTime; +import org.spongycastle.asn1.ASN1InputStream; +import org.spongycastle.asn1.ASN1Integer; +import org.spongycastle.asn1.ASN1ObjectIdentifier; +import org.spongycastle.asn1.ASN1Sequence; +import org.spongycastle.asn1.DERBitString; +import org.spongycastle.asn1.DERSequence; +import org.spongycastle.asn1.x509.AlgorithmIdentifier; +import org.spongycastle.asn1.x509.CertificateList; +import org.spongycastle.asn1.x509.Extensions; +import org.spongycastle.asn1.x509.TBSCertList; +import org.spongycastle.asn1.x509.Time; +import org.spongycastle.asn1.x509.V2TBSCertListGenerator; +import org.spongycastle.asn1.x509.X509Extensions; +import org.spongycastle.asn1.x509.X509ExtensionsGenerator; +import org.spongycastle.asn1.x509.X509Name; +import org.spongycastle.jce.X509Principal; +import org.spongycastle.jce.provider.X509CRLObject; + +/** + * class to produce an X.509 Version 2 CRL. + * @deprecated use org.spongycastle.cert.X509v2CRLBuilder. + */ +public class X509V2CRLGenerator +{ + private V2TBSCertListGenerator tbsGen; + private ASN1ObjectIdentifier sigOID; + private AlgorithmIdentifier sigAlgId; + private String signatureAlgorithm; + private X509ExtensionsGenerator extGenerator; + + public X509V2CRLGenerator() + { + tbsGen = new V2TBSCertListGenerator(); + extGenerator = new X509ExtensionsGenerator(); + } + + /** + * reset the generator + */ + public void reset() + { + tbsGen = new V2TBSCertListGenerator(); + extGenerator.reset(); + } + + /** + * Set the issuer distinguished name - the issuer is the entity whose private key is used to sign the + * certificate. + */ + public void setIssuerDN( + X500Principal issuer) + { + try + { + tbsGen.setIssuer(new X509Principal(issuer.getEncoded())); + } + catch (IOException e) + { + throw new IllegalArgumentException("can't process principal: " + e); + } + } + + /** + * Set the issuer distinguished name - the issuer is the entity whose private key is used to sign the + * certificate. + */ + public void setIssuerDN( + X509Name issuer) + { + tbsGen.setIssuer(issuer); + } + + public void setThisUpdate( + Date date) + { + tbsGen.setThisUpdate(new Time(date)); + } + + public void setNextUpdate( + Date date) + { + tbsGen.setNextUpdate(new Time(date)); + } + + /** + * Reason being as indicated by CRLReason, i.e. CRLReason.keyCompromise + * or 0 if CRLReason is not to be used + **/ + public void addCRLEntry(BigInteger userCertificate, Date revocationDate, int reason) + { + tbsGen.addCRLEntry(new ASN1Integer(userCertificate), new Time(revocationDate), reason); + } + + /** + * Add a CRL entry with an Invalidity Date extension as well as a CRLReason extension. + * Reason being as indicated by CRLReason, i.e. CRLReason.keyCompromise + * or 0 if CRLReason is not to be used + **/ + public void addCRLEntry(BigInteger userCertificate, Date revocationDate, int reason, Date invalidityDate) + { + tbsGen.addCRLEntry(new ASN1Integer(userCertificate), new Time(revocationDate), reason, new ASN1GeneralizedTime(invalidityDate)); + } + + /** + * Add a CRL entry with extensions. + **/ + public void addCRLEntry(BigInteger userCertificate, Date revocationDate, X509Extensions extensions) + { + tbsGen.addCRLEntry(new ASN1Integer(userCertificate), new Time(revocationDate), Extensions.getInstance(extensions)); + } + + /** + * Add the CRLEntry objects contained in a previous CRL. + * + * @param other the X509CRL to source the other entries from. + */ + public void addCRL(X509CRL other) + throws CRLException + { + Set revocations = other.getRevokedCertificates(); + + if (revocations != null) + { + Iterator it = revocations.iterator(); + while (it.hasNext()) + { + X509CRLEntry entry = (X509CRLEntry)it.next(); + + ASN1InputStream aIn = new ASN1InputStream(entry.getEncoded()); + + try + { + tbsGen.addCRLEntry(ASN1Sequence.getInstance(aIn.readObject())); + } + catch (IOException e) + { + throw new CRLException("exception processing encoding of CRL: " + e.toString()); + } + } + } + } + + /** + * Set the signature algorithm. This can be either a name or an OID, names + * are treated as case insensitive. + * + * @param signatureAlgorithm string representation of the algorithm name. + */ + public void setSignatureAlgorithm( + String signatureAlgorithm) + { + this.signatureAlgorithm = signatureAlgorithm; + + try + { + sigOID = X509Util.getAlgorithmOID(signatureAlgorithm); + } + catch (Exception e) + { + throw new IllegalArgumentException("Unknown signature type requested"); + } + + sigAlgId = X509Util.getSigAlgID(sigOID, signatureAlgorithm); + + tbsGen.setSignature(sigAlgId); + } + + /** + * add a given extension field for the standard extensions tag (tag 0) + */ + public void addExtension( + String oid, + boolean critical, + ASN1Encodable value) + { + this.addExtension(new ASN1ObjectIdentifier(oid), critical, value); + } + + /** + * add a given extension field for the standard extensions tag (tag 0) + */ + public void addExtension( + ASN1ObjectIdentifier oid, + boolean critical, + ASN1Encodable value) + { + extGenerator.addExtension(new ASN1ObjectIdentifier(oid.getId()), critical, value); + } + + /** + * add a given extension field for the standard extensions tag (tag 0) + */ + public void addExtension( + String oid, + boolean critical, + byte[] value) + { + this.addExtension(new ASN1ObjectIdentifier(oid), critical, value); + } + + /** + * add a given extension field for the standard extensions tag (tag 0) + */ + public void addExtension( + ASN1ObjectIdentifier oid, + boolean critical, + byte[] value) + { + extGenerator.addExtension(new ASN1ObjectIdentifier(oid.getId()), critical, value); + } + + /** + * generate an X509 CRL, based on the current issuer and subject + * using the default provider "SC". + * @deprecated use generate(key, "SC") + */ + public X509CRL generateX509CRL( + PrivateKey key) + throws SecurityException, SignatureException, InvalidKeyException + { + try + { + return generateX509CRL(key, "SC", null); + } + catch (NoSuchProviderException e) + { + throw new SecurityException("BC provider not installed!"); + } + } + + /** + * generate an X509 CRL, based on the current issuer and subject + * using the default provider "SC" and an user defined SecureRandom object as + * source of randomness. + * @deprecated use generate(key, random, "SC") + */ + public X509CRL generateX509CRL( + PrivateKey key, + SecureRandom random) + throws SecurityException, SignatureException, InvalidKeyException + { + try + { + return generateX509CRL(key, "SC", random); + } + catch (NoSuchProviderException e) + { + throw new SecurityException("BC provider not installed!"); + } + } + + /** + * generate an X509 certificate, based on the current issuer and subject + * using the passed in provider for the signing. + * @deprecated use generate() + */ + public X509CRL generateX509CRL( + PrivateKey key, + String provider) + throws NoSuchProviderException, SecurityException, SignatureException, InvalidKeyException + { + return generateX509CRL(key, provider, null); + } + + /** + * generate an X509 CRL, based on the current issuer and subject, + * using the passed in provider for the signing. + * @deprecated use generate() + */ + public X509CRL generateX509CRL( + PrivateKey key, + String provider, + SecureRandom random) + throws NoSuchProviderException, SecurityException, SignatureException, InvalidKeyException + { + try + { + return generate(key, provider, random); + } + catch (NoSuchProviderException e) + { + throw e; + } + catch (SignatureException e) + { + throw e; + } + catch (InvalidKeyException e) + { + throw e; + } + catch (GeneralSecurityException e) + { + throw new SecurityException("exception: " + e); + } + } + + /** + * generate an X509 CRL, based on the current issuer and subject + * using the default provider. + * <p> + * <b>Note:</b> this differs from the deprecated method in that the default provider is + * used - not "SC". + * </p> + */ + public X509CRL generate( + PrivateKey key) + throws CRLException, IllegalStateException, NoSuchAlgorithmException, SignatureException, InvalidKeyException + { + return generate(key, (SecureRandom)null); + } + + /** + * generate an X509 CRL, based on the current issuer and subject + * using the default provider and an user defined SecureRandom object as + * source of randomness. + * <p> + * <b>Note:</b> this differs from the deprecated method in that the default provider is + * used - not "SC". + * </p> + */ + public X509CRL generate( + PrivateKey key, + SecureRandom random) + throws CRLException, IllegalStateException, NoSuchAlgorithmException, SignatureException, InvalidKeyException + { + TBSCertList tbsCrl = generateCertList(); + byte[] signature; + + try + { + signature = X509Util.calculateSignature(sigOID, signatureAlgorithm, key, random, tbsCrl); + } + catch (IOException e) + { + throw new ExtCRLException("cannot generate CRL encoding", e); + } + + return generateJcaObject(tbsCrl, signature); + } + + /** + * generate an X509 certificate, based on the current issuer and subject + * using the passed in provider for the signing. + */ + public X509CRL generate( + PrivateKey key, + String provider) + throws CRLException, IllegalStateException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, InvalidKeyException + { + return generate(key, provider, null); + } + + /** + * generate an X509 CRL, based on the current issuer and subject, + * using the passed in provider for the signing. + */ + public X509CRL generate( + PrivateKey key, + String provider, + SecureRandom random) + throws CRLException, IllegalStateException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, InvalidKeyException + { + TBSCertList tbsCrl = generateCertList(); + byte[] signature; + + try + { + signature = X509Util.calculateSignature(sigOID, signatureAlgorithm, provider, key, random, tbsCrl); + } + catch (IOException e) + { + throw new ExtCRLException("cannot generate CRL encoding", e); + } + + return generateJcaObject(tbsCrl, signature); + } + + private TBSCertList generateCertList() + { + if (!extGenerator.isEmpty()) + { + tbsGen.setExtensions(extGenerator.generate()); + } + + return tbsGen.generateTBSCertList(); + } + + private X509CRL generateJcaObject(TBSCertList tbsCrl, byte[] signature) + throws CRLException + { + ASN1EncodableVector v = new ASN1EncodableVector(); + + v.add(tbsCrl); + v.add(sigAlgId); + v.add(new DERBitString(signature)); + + return new X509CRLObject(new CertificateList(new DERSequence(v))); + } + + /** + * Return an iterator of the signature names supported by the generator. + * + * @return an iterator containing recognised names. + */ + public Iterator getSignatureAlgNames() + { + return X509Util.getAlgNames(); + } + + private static class ExtCRLException + extends CRLException + { + Throwable cause; + + ExtCRLException(String message, Throwable cause) + { + super(message); + this.cause = cause; + } + + public Throwable getCause() + { + return cause; + } + } +} |