Date thisUp = crlist.getThisUpdate(); Date nextUp = crlist.getNextUpdate(); if ((thisUp == null) || (nextUp == null)) {
crlIdentifier.setIssuer(issuerName); Calendar cal = Calendar.getInstance(TimeZone.getTimeZone("Z"), Locale.ROOT); cal.setTime(crl.getThisUpdate()); crlIdentifier.setIssueTime(cal); crlIdentifier.setNumber(getCrlNumber(crl));
@Override public Date getThisUpdate() { X509CRL crl = this.crl; if (crl != null) { return crl.getThisUpdate(); } else { return null; } }
/** * Gets the thisUpdate date from the CRL. * * @return the thisUpdate date from the CRL. */ public Date getThisUpdate() { return crlValidity.x509CRL.getThisUpdate(); }
private boolean isCrlInValidationDate(X509CRL crl, Date validationDate) { Date thisUpdate = crl.getThisUpdate(); LOG.debug("validation date: " + validationDate); LOG.debug("CRL this update: " + thisUpdate); if (thisUpdate.after(validationDate)) { LOG.warn("CRL too young"); return false; } LOG.debug("CRL next update: " + crl.getNextUpdate()); if (validationDate.after(crl.getNextUpdate())) { LOG.debug("CRL too old"); return false; } return true; } }
if (crl.getThisUpdate().before(cert.getNotAfter()))
if (crl.getThisUpdate().before(cert.getNotAfter()))
if (crl.getThisUpdate().before(cert.getNotAfter()))
log.debug("CRL nextUpdate: " + x509crl.getThisUpdate()); log.debug("CRL thisUpdate: " + x509crl.getNextUpdate());
private boolean publishCrl(X509CRL crl) { try { certstore.addCrl(caIdent, crl); } catch (Exception ex) { LOG.error("could not add CRL ca={}, thisUpdate={}: {}, ", caIdent.getName(), crl.getThisUpdate(), ex.getMessage()); LOG.debug("Exception", ex); return false; } for (IdentifiedCertPublisher publisher : publishers()) { try { publisher.crlAdded(caCert, crl); } catch (RuntimeException ex) { LogUtil.error(LOG, ex, "could not publish CRL to the publisher " + publisher.getIdent()); } } // end for return true; } // method publishCrl
/** * Verifies a certificate against a single CRL. * @param crl the Certificate Revocation List * @param signCert a certificate that needs to be verified * @param issuerCert its issuer * @param signDate the sign date * @return true if the verification succeeded * @throws GeneralSecurityException */ public boolean verify(X509CRL crl, X509Certificate signCert, X509Certificate issuerCert, Date signDate) throws GeneralSecurityException { if (crl == null || signDate == null) return false; // We only check CRLs valid on the signing date for which the issuer matches if (crl.getIssuerX500Principal().equals(signCert.getIssuerX500Principal()) && signDate.after(crl.getThisUpdate()) && signDate.before(crl.getNextUpdate())) { // the signing certificate may not be revoked if (isSignatureValid(crl, issuerCert) && crl.isRevoked(signCert)) { throw new VerificationException(signCert, "The certificate has been revoked."); } return true; } return false; }
/** * Verifies a certificate against a single CRL. * @param crl the Certificate Revocation List * @param signCert a certificate that needs to be verified * @param issuerCert its issuer * @param signDate the sign date * @return true if the verification succeeded * @throws GeneralSecurityException */ public boolean verify(X509CRL crl, X509Certificate signCert, X509Certificate issuerCert, Date signDate) throws GeneralSecurityException { if (crl == null || signDate == SignUtils.UNDEFINED_TIMESTAMP_DATE) return false; // We only check CRLs valid on the signing date for which the issuer matches if (crl.getIssuerX500Principal().equals(signCert.getIssuerX500Principal()) && signDate.after(crl.getThisUpdate()) && signDate.before(crl.getNextUpdate())) { // the signing certificate may not be revoked if (isSignatureValid(crl, issuerCert) && crl.isRevoked(signCert)) { throw new VerificationException(signCert, "The certificate has been revoked."); } return true; } return false; }
if (crl.getThisUpdate().before(cert.getNotAfter()))
/** * Verifies a certificate against a single CRL. * @param crl the Certificate Revocation List * @param signCert a certificate that needs to be verified * @param issuerCert its issuer * @param signDate the sign date * @return true if the verification succeeded * @throws GeneralSecurityException */ public boolean verify(X509CRL crl, X509Certificate signCert, X509Certificate issuerCert, Date signDate) throws GeneralSecurityException { if (crl == null || signDate == null) return false; // We only check CRLs valid on the signing date for which the issuer matches if (crl.getIssuerX500Principal().equals(signCert.getIssuerX500Principal()) && signDate.after(crl.getThisUpdate()) && signDate.before(crl.getNextUpdate())) { // the signing certificate may not be revoked if (isSignatureValid(crl, issuerCert) && crl.isRevoked(signCert)) { throw new VerificationException(signCert, "The certificate has been revoked."); } return true; } return false; }
/** * Verifies a certificate against a single CRL. * @param crl the Certificate Revocation List * @param signCert a certificate that needs to be verified * @param issuerCert its issuer * @param signDate the sign date * @return true if the verification succeeded * @throws GeneralSecurityException */ public boolean verify(X509CRL crl, X509Certificate signCert, X509Certificate issuerCert, Date signDate) throws GeneralSecurityException { if (crl == null || signDate == SignUtils.UNDEFINED_TIMESTAMP_DATE) return false; // We only check CRLs valid on the signing date for which the issuer matches if (crl.getIssuerX500Principal().equals(signCert.getIssuerX500Principal()) && signDate.after(crl.getThisUpdate()) && signDate.before(crl.getNextUpdate())) { // the signing certificate may not be revoked if (isSignatureValid(crl, issuerCert) && crl.isRevoked(signCert)) { throw new VerificationException(signCert, "The certificate has been revoked."); } return true; } return false; }
if (log.isTraceEnabled()) { log.trace("Added X509CRL to cert store from issuer {} dated {}", x500DNHandler.getName(crl.getIssuerX500Principal()), crl.getThisUpdate()); if (isEmpty) { log.trace("X509CRL added to cert store from issuer {} dated {} was empty", x500DNHandler.getName(crl.getIssuerX500Principal()), crl.getThisUpdate()); if (log.isTraceEnabled()) { log.trace("Empty X509CRL not added to cert store, from issuer {} dated {}", x500DNHandler.getName(crl.getIssuerX500Principal()), crl.getThisUpdate());
} else if (crlEntry.getRevocationDate().after(validationDate)) { log.warn("CRL revocation time after the validation date, the certificate '" + subjectX500Principal + "' was valid at " + validationDate); status.setRevocationObjectIssuingTime(x509crl.getThisUpdate()); status.setValidity(CertificateValidity.VALID); } else { log.info("CRL for certificate '" + subjectX500Principal + "' is revoked since " + crlEntry.getRevocationDate()); status.setRevocationObjectIssuingTime(x509crl.getThisUpdate()); status.setRevocationDate(crlEntry.getRevocationDate()); status.setValidity(CertificateValidity.REVOKED);
private void setDefaultValues() { final X509CRL x509crl = crlValidity.x509CRL; final String sigAlgOID = x509crl.getSigAlgOID(); final SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.forOID(sigAlgOID); this.algorithmUsedToSignToken = signatureAlgorithm; this.issuingTime = x509crl.getThisUpdate(); this.nextUpdate = x509crl.getNextUpdate(); issuerX500Principal = x509crl.getIssuerX500Principal(); this.extraInfo = new TokenValidationExtraInfo(); issuerToken = crlValidity.issuerToken; signatureValid = crlValidity.signatureIntact; signatureInvalidityReason = crlValidity.signatureInvalidityReason; }
final Date thisUpdate = x509CRL.getThisUpdate(); if (!certificateToken.hasExpiredCertOnCRLExtension()) {
public X509CRL getCrl(BigInteger crlNumber) throws OperationException { LOG.info(" START getCrl: ca={}, crlNumber={}", caIdent.getName(), crlNumber); boolean successful = false; try { byte[] encodedCrl = certstore.getEncodedCrl(caIdent, crlNumber); if (encodedCrl == null) { return null; } try { X509CRL crl = X509Util.parseCrl(encodedCrl); successful = true; if (LOG.isInfoEnabled()) { String timeStr = new Time(crl.getThisUpdate()).getTime(); LOG.info("SUCCESSFUL getCrl: ca={}, thisUpdate={}", caIdent.getName(), timeStr); } return crl; } catch (CRLException | CertificateException ex) { throw new OperationException(SYSTEM_FAILURE, ex); } catch (RuntimeException ex) { throw new OperationException(SYSTEM_FAILURE, ex); } } finally { if (!successful) { LOG.info(" FAILED getCrl: ca={}", caIdent.getName()); } } } // method getCrl