diff options
Diffstat (limited to 'src/main/model/pki/crl')
| -rw-r--r-- | src/main/model/pki/crl/CertificateList.java | 76 | ||||
| -rw-r--r-- | src/main/model/pki/crl/CertificateListContent.java | 106 | ||||
| -rw-r--r-- | src/main/model/pki/crl/Reason.java | 27 | ||||
| -rw-r--r-- | src/main/model/pki/crl/RevokedCertificate.java | 72 |
4 files changed, 281 insertions, 0 deletions
diff --git a/src/main/model/pki/crl/CertificateList.java b/src/main/model/pki/crl/CertificateList.java new file mode 100644 index 0000000..5142101 --- /dev/null +++ b/src/main/model/pki/crl/CertificateList.java @@ -0,0 +1,76 @@ +package model.pki.crl; + +import model.asn1.ASN1Object; +import model.asn1.BitString; +import model.asn1.Tag; +import model.asn1.exceptions.ParseException; +import model.asn1.parsing.BytesReader; +import model.pki.AlgorithmIdentifier; +import model.pki.cert.TbsCertificate; + +import java.util.Arrays; +import java.util.Collection; +import java.util.stream.Stream; + +/** + * Represents a signed X.509 CRL. + * <pre> + * CertificateList ::= SIGNED{CertificateListContent} + * </pre> + */ +public class CertificateList extends ASN1Object { + /** + * All info of that CRL, excluding the signature. + * It will be signed, and the signature is in <pre>signature</pre>. + */ + private final CertificateListContent crl; + + /** + * The algorithm used for <pre>signature</pre>. + */ + private final AlgorithmIdentifier signatureAlgorithm; + + /** + * The signature. + */ + private final BitString signature; + + /** + * EFFECTS: Initialize the object with the given tag and parentTag, and list, signatureAlgorithm, and signature. + * REQUIRES: The algorithm must match the signature. The fields must have correct tags as described in the class + * specification (SEQUENCE, SEQUENCE, BIT STRING). + */ + public CertificateList(Tag tag, Tag parentTag, + final CertificateListContent crl, + final AlgorithmIdentifier signatureAlgorithm, + final BitString signature) { + super(tag, parentTag); + this.crl = crl; + this.signatureAlgorithm = signatureAlgorithm; + this.signature = signature; + } + + /** + * EFFECT: Encode that sequence into an ordered array of bytes, following the class specification. + */ + @Override + public Byte[] encodeValueDER() { + return Stream.of(Arrays.asList(crl.encodeDER()), + Arrays.asList(signatureAlgorithm.encodeDER()), + Arrays.asList(signature.encodeDER())) + .flatMap(Collection::stream) + .toArray(Byte[]::new); + } + + public CertificateListContent getCrl() { + return crl; + } + + public AlgorithmIdentifier getSignatureAlgorithm() { + return signatureAlgorithm; + } + + public BitString getSignature() { + return signature; + } +} diff --git a/src/main/model/pki/crl/CertificateListContent.java b/src/main/model/pki/crl/CertificateListContent.java new file mode 100644 index 0000000..6f75d71 --- /dev/null +++ b/src/main/model/pki/crl/CertificateListContent.java @@ -0,0 +1,106 @@ +package model.pki.crl; + +import model.asn1.*; +import model.pki.AlgorithmIdentifier; +import model.x501.Name; + +import java.util.Arrays; +import java.util.Collection; +import java.util.Collections; +import java.util.List; +import java.util.stream.Collectors; +import java.util.stream.Stream; + +/** + * Represents a CRL content: + * + * <pre> + * CertificateListContent ::= SEQUENCE { + * version Version OPTIONAL, + * -- if present, version shall be v2 + * signature AlgorithmIdentifier{{SupportedAlgorithms}}, + * issuer Name, + * thisUpdate Time, + * nextUpdate Time OPTIONAL, + * revokedCertificates SEQUENCE OF SEQUENCE { + * serialNumber CertificateSerialNumber, + * revocationDate Time, + * crlEntryExtensions Extensions OPTIONAL, + * ...} OPTIONAL, + * ..., + * ..., + * crlExtensions [0] Extensions OPTIONAL } + * </pre> + * + * A CRL is a signed object published by the CA that revokes any certificates signed by this CA before their + * expiration. Relying-parties should check the CRL from corresponding CDPs to see if the certificate to check is + * already revoked. + * Because the CA will only generate CRLs, this object won't be parsed. + */ +public class CertificateListContent extends ASN1Object { + private final Int version = new Int(Int.TAG, null, 1); + private final Name issuer; + private final AlgorithmIdentifier signature; + private final ASN1Time thisUpdate; + private final ASN1Time nextUpdate; + private final RevokedCertificate[] revokedCertificates; + + /** + * EFFECTS: Init with tags and the given parameters. Version is always set to 1. + * REQUIRES: except for nextUpdate, all other fields are non-null; items in revokedCerts should be SEQUENCE. + */ + public CertificateListContent(Tag tag, Tag parentTag, + Name issuer, + AlgorithmIdentifier signature, + ASN1Time thisUpdate, + ASN1Time nextUpdate, + RevokedCertificate[] revokedCertificates) { + super(tag, parentTag); + this.issuer = issuer; + this.signature = signature; + this.thisUpdate = thisUpdate; + this.nextUpdate = nextUpdate; + this.revokedCertificates = revokedCertificates; + } + + @Override + public Byte[] encodeValueDER() { + final List<Byte> itemsEncoded = Arrays.stream(revokedCertificates) + .map(Encodable::encodeDER) + .flatMap(Arrays::stream) + .collect(Collectors.toList()); + return Stream.of(Arrays.asList(version.encodeDER()), + Arrays.asList(issuer.encodeDER()), + Arrays.asList(signature.encodeDER()), + Arrays.asList(thisUpdate.encodeDER()), + nextUpdate == null ? Collections.<Byte>emptyList() : Arrays.asList(nextUpdate.encodeDER()), + Arrays.asList(new Tag(TagClass.UNIVERSAL, true, 0x30).encodeDER()), + Arrays.asList(new ASN1Length(itemsEncoded.size()).encodeDER()), itemsEncoded) + .flatMap(Collection::stream) + .toArray(Byte[]::new); + } + + public Int getVersion() { + return version; + } + + public Name getIssuer() { + return issuer; + } + + public AlgorithmIdentifier getSignature() { + return signature; + } + + public ASN1Time getThisUpdate() { + return thisUpdate; + } + + public ASN1Time getNextUpdate() { + return nextUpdate; + } + + public RevokedCertificate[] getRevokedCertificates() { + return revokedCertificates; + } +} diff --git a/src/main/model/pki/crl/Reason.java b/src/main/model/pki/crl/Reason.java new file mode 100644 index 0000000..e47609e --- /dev/null +++ b/src/main/model/pki/crl/Reason.java @@ -0,0 +1,27 @@ +package model.pki.crl; + +/** + * Identify the reason for revocation. + */ +public enum Reason { + UNSPECIFIED(0), + KEY_COMPROMISE(1), + CA_COMPROMISE(2), + AFFILIATION_CHANGED(3), + SUPERSEDED(4), + CESSATION_OF_OPERATION(5); + + private final int val; + + /** + * EFFECTS: Init with the specific val. + * REQUIRES: 0 <= val <= 0xFF + */ + Reason(int val) { + this.val = val; + } + + public int getVal() { + return val; + } +} diff --git a/src/main/model/pki/crl/RevokedCertificate.java b/src/main/model/pki/crl/RevokedCertificate.java new file mode 100644 index 0000000..457ecb8 --- /dev/null +++ b/src/main/model/pki/crl/RevokedCertificate.java @@ -0,0 +1,72 @@ +package model.pki.crl; + +import model.asn1.*; + +import java.util.Arrays; +import java.util.Collection; +import java.util.stream.Stream; + +/** + * Indicates the revocation status of a certificate, given its serial number, revocation date, and reason. + * <pre> + * SEQUENCE { + * serialNumber CertificateSerialNumber, + * revocationDate Time, + * crlEntryExtensions Extensions OPTIONAL, + * ...} + * </pre> + */ +public class RevokedCertificate extends ASN1Object { + private final Int serialNumber; + private final ASN1Time revocationDate; + private final Reason reason; + + /** + * EFFECT: Init with tags and parameters. See {@link ASN1Object} for tags. + * REQUIRES: revocationDate should be either UtcTime or GeneralTime. + */ + public RevokedCertificate(Tag tag, Tag parentTag, + Int serialNumber, + ASN1Time revocationDate, + Reason reason) { + super(tag, parentTag); + this.serialNumber = serialNumber; + this.revocationDate = revocationDate; + this.reason = reason; + } + + @Override + public Byte[] encodeValueDER() { + final Byte[] r = new OctetString(OctetString.TAG, + null, + new Byte[]{ 0x0A, 0x01, (byte) reason.getVal() }) + .encodeDER(); + final Byte[] oid = new ObjectIdentifier(ObjectIdentifier.TAG, null, ObjectIdentifier.OID_CRL_REASON) + .encodeDER(); + final Byte[] seqExt = Stream.of(Arrays.asList(TAG_SEQUENCE.encodeDER()), + Arrays.asList(new ASN1Length(r.length + oid.length).encodeDER()), + Arrays.asList(oid), + Arrays.asList(r)) + .flatMap(Collection::stream) + .toArray(Byte[]::new); + return Stream.of(Arrays.asList(serialNumber.encodeDER()), + Arrays.asList(revocationDate.encodeDER()), + Arrays.asList(TAG_SEQUENCE.encodeDER()), + Arrays.asList(new ASN1Length(seqExt.length).encodeDER()), + Arrays.asList(seqExt)) + .flatMap(Collection::stream) + .toArray(Byte[]::new); + } + + public Int getSerialNumber() { + return serialNumber; + } + + public ASN1Time getRevocationDate() { + return revocationDate; + } + + public Reason getReason() { + return reason; + } +} |