本文整理汇总了Java中org.bouncycastle.asn1.x509.ExtensionsGenerator.addExtension方法的典型用法代码示例。如果您正苦于以下问题:Java ExtensionsGenerator.addExtension方法的具体用法?Java ExtensionsGenerator.addExtension怎么用?Java ExtensionsGenerator.addExtension使用的例子?那么, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类org.bouncycastle.asn1.x509.ExtensionsGenerator的用法示例。
在下文中一共展示了ExtensionsGenerator.addExtension方法的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Java代码示例。
示例1: generateCSR
import org.bouncycastle.asn1.x509.ExtensionsGenerator; //导入方法依赖的package包/类
private static byte[] generateCSR(KeyPair keyPair, CertificateNamesGenerator certificateNamesGenerator)
throws IOException, OperatorCreationException {
ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator();
extensionsGenerator.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature));
extensionsGenerator.addExtension(Extension.extendedKeyUsage, true,
new ExtendedKeyUsage(
new KeyPurposeId[] {
KeyPurposeId.id_kp_clientAuth,
KeyPurposeId.id_kp_serverAuth
}
));
extensionsGenerator.addExtension(Extension.subjectAlternativeName, true, certificateNamesGenerator.getSANs());
PKCS10CertificationRequest csr =
new JcaPKCS10CertificationRequestBuilder(certificateNamesGenerator.getSubject(), keyPair.getPublic())
.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extensionsGenerator.generate())
.build(new JcaContentSignerBuilder("SHA256withRSA").build(keyPair.getPrivate()));
return PEMUtils.toPEM(csr);
}
示例2: generateCSR
import org.bouncycastle.asn1.x509.ExtensionsGenerator; //导入方法依赖的package包/类
public static PKCS10CertificationRequest generateCSR(String[] commonNames, KeyPair pair) throws OperatorCreationException, IOException {
X500NameBuilder namebuilder = new X500NameBuilder(X500Name.getDefaultStyle());
namebuilder.addRDN(BCStyle.CN, commonNames[0]);
List<GeneralName> subjectAltNames = new ArrayList<>(commonNames.length);
for (String cn:commonNames)
subjectAltNames.add(new GeneralName(GeneralName.dNSName, cn));
GeneralNames subjectAltName = new GeneralNames(subjectAltNames.toArray(new GeneralName[0]));
ExtensionsGenerator extGen = new ExtensionsGenerator();
extGen.addExtension(Extension.subjectAlternativeName, false, subjectAltName.toASN1Primitive());
PKCS10CertificationRequestBuilder p10Builder = new JcaPKCS10CertificationRequestBuilder(namebuilder.build(), pair.getPublic());
p10Builder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extGen.generate());
JcaContentSignerBuilder csBuilder = new JcaContentSignerBuilder("SHA256withRSA");
ContentSigner signer = csBuilder.build(pair.getPrivate());
PKCS10CertificationRequest request = p10Builder.build(signer);
return request;
}
示例3: addExtension
import org.bouncycastle.asn1.x509.ExtensionsGenerator; //导入方法依赖的package包/类
static void addExtension(ExtensionsGenerator extGenerator, ASN1ObjectIdentifier oid, boolean isCritical, ASN1Encodable value)
throws CertIOException
{
try
{
extGenerator.addExtension(oid, isCritical, value);
}
catch (IOException e)
{
throw new CertIOException("cannot encode extension: " + e.getMessage(), e);
}
}
示例4: addExtension
import org.bouncycastle.asn1.x509.ExtensionsGenerator; //导入方法依赖的package包/类
static void addExtension(ExtensionsGenerator extGenerator, ASN1ObjectIdentifier oid, boolean isCritical, ASN1Encodable value)
throws TSPIOException
{
try
{
extGenerator.addExtension(oid, isCritical, value);
}
catch (IOException e)
{
throw new TSPIOException("cannot encode extension: " + e.getMessage(), e);
}
}
示例5: generateCSR
import org.bouncycastle.asn1.x509.ExtensionsGenerator; //导入方法依赖的package包/类
/**
* Generate a CSR object.
*
* @param dn The CSR's Distinguished Name (DN).
* @param key The CSR's key pair
* @param extensions The CRT's extension objects.
* @param signatureAlgorithm The signature algorithm to use.
* @return The generated CSR object.
* @throws IOException if an error occurs during generation.
*/
public static PKCS10CertificateRequest generateCSR(X500Principal dn, KeyPair key,
List<X509ExtensionData> extensions, SignatureAlgorithm signatureAlgorithm) throws IOException {
LOG.info("CSR generation ''{0}'' started...", dn);
// Initialize CSR builder
PKCS10CertificationRequestBuilder csrBuilder = new JcaPKCS10CertificationRequestBuilder(dn, key.getPublic());
// Add custom extension objects
ExtensionsGenerator extensionGenerator = new ExtensionsGenerator();
for (X509ExtensionData extensionData : extensions) {
extensionGenerator.addExtension(new ASN1ObjectIdentifier(extensionData.oid()), extensionData.getCritical(),
extensionData.encode());
}
csrBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extensionGenerator.generate());
PKCS10CertificateRequest csr;
try {
// Sign CSR
ContentSigner csrSigner;
csrSigner = new JcaContentSignerBuilder(signatureAlgorithm.algorithm()).build(key.getPrivate());
csr = fromPKCS10(csrBuilder.build(csrSigner));
} catch (OperatorCreationException e) {
throw new CertProviderException(e);
}
LOG.info("CSR generation ''{0}'' done", dn);
return csr;
}
示例6: extensions_test_subject_alternative_names
import org.bouncycastle.asn1.x509.ExtensionsGenerator; //导入方法依赖的package包/类
@Test(expected = IllegalArgumentException.class)
public void extensions_test_subject_alternative_names() throws Exception {
ExtensionsGenerator extGen = new ExtensionsGenerator();
extGen.addExtension(Extension.subjectAlternativeName, false, new GeneralNames(new GeneralName[] {
new GeneralName(GeneralName.dNSName, "some.other.domain.tld")}));
PKCS10CertificationRequest request = makeRequest("OU=Vespa", extGen.generate());
CertificateSigner.verifyCertificateExtensions(request);
}
示例7: extensions_allowed
import org.bouncycastle.asn1.x509.ExtensionsGenerator; //导入方法依赖的package包/类
@Test
public void extensions_allowed() throws Exception {
ExtensionsGenerator extGen = new ExtensionsGenerator();
extGen.addExtension(Extension.certificateIssuer, true, new byte[0]);
PKCS10CertificationRequest request = makeRequest("OU=Vespa", extGen.generate());
CertificateSigner.verifyCertificateExtensions(request);
}
示例8: generateX509CSR
import org.bouncycastle.asn1.x509.ExtensionsGenerator; //导入方法依赖的package包/类
public static String generateX509CSR(PrivateKey privateKey, PublicKey publicKey,
String x500Principal, GeneralName[] sanArray) throws OperatorCreationException, IOException {
// Create Distinguished Name
X500Principal subject = new X500Principal(x500Principal);
// Create ContentSigner
JcaContentSignerBuilder csBuilder = new JcaContentSignerBuilder(Crypto.RSA_SHA256);
ContentSigner signer = csBuilder.build(privateKey);
// Create the CSR
PKCS10CertificationRequestBuilder p10Builder = new JcaPKCS10CertificationRequestBuilder(
subject, publicKey);
// Add SubjectAlternativeNames (SAN) if specified
if (sanArray != null) {
ExtensionsGenerator extGen = new ExtensionsGenerator();
GeneralNames subjectAltNames = new GeneralNames(sanArray);
extGen.addExtension(Extension.subjectAlternativeName, false, subjectAltNames);
p10Builder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extGen.generate());
}
PKCS10CertificationRequest csr = p10Builder.build(signer);
// write to openssl PEM format
PemObject pemObject = new PemObject("CERTIFICATE REQUEST", csr.getEncoded());
StringWriter strWriter;
try (JcaPEMWriter pemWriter = new JcaPEMWriter(strWriter = new StringWriter())) {
pemWriter.writeObject(pemObject);
}
return strWriter.toString();
}
示例9: sign
import org.bouncycastle.asn1.x509.ExtensionsGenerator; //导入方法依赖的package包/类
/**
* Signs the completed CSR.
*
* @param keypair
* {@link KeyPair} to sign the CSR with
*/
public void sign(KeyPair keypair) throws IOException {
Objects.requireNonNull(keypair, "keypair");
if (namelist.isEmpty()) {
throw new IllegalStateException("No domain was set");
}
try {
GeneralName[] gns = new GeneralName[namelist.size()];
for (int ix = 0; ix < namelist.size(); ix++) {
gns[ix] = new GeneralName(GeneralName.dNSName, namelist.get(ix));
}
GeneralNames subjectAltName = new GeneralNames(gns);
PKCS10CertificationRequestBuilder p10Builder =
new JcaPKCS10CertificationRequestBuilder(namebuilder.build(), keypair.getPublic());
ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator();
extensionsGenerator.addExtension(Extension.subjectAlternativeName, false, subjectAltName);
p10Builder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extensionsGenerator.generate());
PrivateKey pk = keypair.getPrivate();
JcaContentSignerBuilder csBuilder = new JcaContentSignerBuilder(
pk instanceof ECKey ? EC_SIGNATURE_ALG : SIGNATURE_ALG);
ContentSigner signer = csBuilder.build(pk);
csr = p10Builder.build(signer);
} catch (OperatorCreationException ex) {
throw new IOException("Could not generate CSR", ex);
}
}
示例10: nullPointerTest
import org.bouncycastle.asn1.x509.ExtensionsGenerator; //导入方法依赖的package包/类
private void nullPointerTest()
throws Exception
{
AsymmetricCipherKeyPairGenerator kpg = new RSAKeyPairGenerator();
RSAKeyGenerationParameters genParam = new RSAKeyGenerationParameters(
BigInteger.valueOf(0x1001), new SecureRandom(), 1024, 25);
kpg.init(genParam);
AsymmetricCipherKeyPair kp = kpg.generateKeyPair();
ExtensionsGenerator extGen = new ExtensionsGenerator();
extGen.addExtension(Extension.basicConstraints, true, new BasicConstraints(true));
extGen.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.keyCertSign | KeyUsage.cRLSign));
BcX509ExtensionUtils extUtils = new BcX509ExtensionUtils(new SHA1DigestCalculator());
SubjectKeyIdentifier subjectKeyIdentifier = extUtils.createSubjectKeyIdentifier(kp.getPublic());
extGen.addExtension(Extension.subjectKeyIdentifier, false, subjectKeyIdentifier);
DefaultSignatureAlgorithmIdentifierFinder sigAlgFinder = new DefaultSignatureAlgorithmIdentifierFinder();
DefaultDigestAlgorithmIdentifierFinder digAlgFinder = new DefaultDigestAlgorithmIdentifierFinder();
AlgorithmIdentifier sigAlgId = sigAlgFinder.find("SHA1withRSA");
AlgorithmIdentifier digAlgId = digAlgFinder.find(sigAlgId);
BcContentSignerBuilder contentSignerBuilder = new BcRSAContentSignerBuilder(sigAlgId, digAlgId);
PKCS10CertificationRequest p1 = new BcPKCS10CertificationRequestBuilder(
new X500Name("cn=csr"), kp.getPublic())
.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extGen.generate())
.build(contentSignerBuilder.build(kp.getPrivate()));
PKCS10CertificationRequest p2 = new BcPKCS10CertificationRequestBuilder(
new X500Name("cn=csr"), kp.getPublic())
.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extGen.generate())
.build(contentSignerBuilder.build(kp.getPrivate()));
if (!p1.equals(p2))
{
fail("cert request comparison failed");
}
Attribute[] attr1 = p1.getAttributes();
Attribute[] attr2 = p1.getAttributes();
checkAttrs(1, attr1, attr2);
attr1 = p1.getAttributes(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest);
attr2 = p1.getAttributes(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest);
checkAttrs(1, attr1, attr2);
}
示例11: getPkcs10_Pkcs8_AsPemStrings
import org.bouncycastle.asn1.x509.ExtensionsGenerator; //导入方法依赖的package包/类
/**
* Get the PKCS#10 PEM string and encrypted PKCS#8 PEM string.
* @param subject
* @param email Added as a Subject Alt Name extension if not null
* @param pw
* @return First element contains the PKCS#10 PEM, second element contains the private key.
* @throws IOException
* @throws NoSuchAlgorithmException
* @throws NoSuchProviderException
* @throws OperatorCreationException
* @throws PKCSException
*/
public String[] getPkcs10_Pkcs8_AsPemStrings(X500Name subject, String email, String pw)
throws IOException, NoSuchAlgorithmException,
NoSuchProviderException, OperatorCreationException, PKCSException {
// Create a PKCS10 cert signing request
KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA", "BC");
kpg.initialize(2048);
KeyPair kp = kpg.genKeyPair();
PrivateKey priKey = kp.getPrivate();
// X500NameBuilder x500NameBld = new X500NameBuilder(BCStyle.INSTANCE);
// x500NameBld.addRDN(BCStyle.C, csrRequestValidationConfigParams.getCountryOID());
// x500NameBld.addRDN(BCStyle.O, csrRequestValidationConfigParams.getOrgNameOID());
// x500NameBld.addRDN(BCStyle.OU, ou);
// x500NameBld.addRDN(BCStyle.L, loc);
// x500NameBld.addRDN(BCStyle.CN, cn);
// X500Name subject = x500NameBld.build();
PKCS10CertificationRequestBuilder requestBuilder
= new JcaPKCS10CertificationRequestBuilder(subject, kp.getPublic());
ExtensionsGenerator extGen = new ExtensionsGenerator();
if(email != null){
extGen.addExtension(Extension.subjectAlternativeName, false,
new GeneralNames(new GeneralName(GeneralName.rfc822Name, email)));
}
requestBuilder.addAttribute(
PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extGen.generate());
String sigName = "SHA1withRSA";
PKCS10CertificationRequest req1 = requestBuilder.build(
new JcaContentSignerBuilder(sigName).setProvider("BC").build(kp.getPrivate()));
if (req1.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider("BC").build(kp.getPublic()))) {
//log.info(sigName + ": PKCS#10 request verified.");
} else {
//log.error(sigName + ": Failed verify check.");
throw new RuntimeException(sigName + ": Failed verify check.");
}
StringWriter writer = new StringWriter();
PEMWriter pemWrite = new PEMWriter(writer);
pemWrite.writeObject(req1);
pemWrite.close();
String csr = writer.toString();
JceOpenSSLPKCS8EncryptorBuilder encryptorBuilder
= new JceOpenSSLPKCS8EncryptorBuilder(PKCS8Generator.PBE_SHA1_3DES);
SecureRandom random = new SecureRandom();
encryptorBuilder.setRandom(random);
encryptorBuilder.setPasssword(pw.toCharArray());
OutputEncryptor oe = encryptorBuilder.build();
JcaPKCS8Generator pkcs8GeneratorEnc = new JcaPKCS8Generator(priKey, oe);
// Output encrypted private key pkcs8 PEM string (todo use later api)
PemObject pkcs8PemEnc = pkcs8GeneratorEnc.generate();
StringWriter writer2 = new StringWriter();
PEMWriter pemWrite2 = new PEMWriter(writer2);
pemWrite2.writeObject(pkcs8PemEnc);
pemWrite2.close();
String pkcs8StrEnc = writer2.toString();
String[] pems = new String[2];
pems[0] = csr;
pems[1] = pkcs8StrEnc;
return pems;
}
示例12: testMalformedIndirect
import org.bouncycastle.asn1.x509.ExtensionsGenerator; //导入方法依赖的package包/类
private void testMalformedIndirect()
throws Exception
{
KeyStore keyStore = KeyStore.getInstance("PKCS12", "BC");
ByteArrayInputStream input = new ByteArrayInputStream(testCAp12);
keyStore.load(input, "test".toCharArray());
X509Certificate certificate = (X509Certificate) keyStore.getCertificate("ca");
PrivateKey privateKey = (PrivateKey) keyStore.getKey("ca", null);
X500Name crlIssuer = X500Name.getInstance(certificate.getSubjectX500Principal().getEncoded());
X500Name caName = X500Name.getInstance(certificate.getIssuerX500Principal().getEncoded());
X509v2CRLBuilder builder = new X509v2CRLBuilder(crlIssuer, new Date());
ExtensionsGenerator extGen = new ExtensionsGenerator();
extGen.addExtension(Extension.reasonCode, false, CRLReason.lookup(CRLReason.cACompromise));
extGen.addExtension(Extension.certificateIssuer, true, new GeneralNames(new GeneralName(caName)));
builder.addCRLEntry(certificate.getSerialNumber(), new Date(), extGen.generate());
JcaContentSignerBuilder contentSignerBuilder = new JcaContentSignerBuilder("SHA256WithRSAEncryption");
contentSignerBuilder.setProvider("BC");
X509CRLHolder cRLHolder = builder.build(contentSignerBuilder.build(privateKey));
if (!cRLHolder.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider("BC").build(certificate)))
{
fail("CRL signature not valid");
}
X509CRLEntryHolder cRLEntryHolder = cRLHolder.getRevokedCertificate(certificate.getSerialNumber());
if (!cRLEntryHolder.getCertificateIssuer().equals(new GeneralNames(new GeneralName(cRLHolder.getIssuer()))))
{
fail("certificate issuer incorrect");
}
JcaX509CRLConverter converter = new JcaX509CRLConverter();
converter.setProvider("BC");
X509CRL crl = converter.getCRL(cRLHolder);
crl.verify(certificate.getPublicKey());
if (crl.isRevoked(certificate))
{
throw new Exception("Certificate should not be revoked");
}
}
示例13: testIndirect
import org.bouncycastle.asn1.x509.ExtensionsGenerator; //导入方法依赖的package包/类
private void testIndirect()
throws Exception
{
KeyStore keyStore = KeyStore.getInstance("PKCS12", "BC");
ByteArrayInputStream input = new ByteArrayInputStream(testCAp12);
keyStore.load(input, "test".toCharArray());
X509Certificate certificate = (X509Certificate) keyStore.getCertificate("ca");
PrivateKey privateKey = (PrivateKey) keyStore.getKey("ca", null);
X500Name crlIssuer = X500Name.getInstance(certificate.getSubjectX500Principal().getEncoded());
X500Name caName = X500Name.getInstance(certificate.getIssuerX500Principal().getEncoded());
X509v2CRLBuilder builder = new X509v2CRLBuilder(crlIssuer, new Date());
builder.addExtension(Extension.issuingDistributionPoint, true, new IssuingDistributionPoint(null, true, false));
ExtensionsGenerator extGen = new ExtensionsGenerator();
extGen.addExtension(Extension.reasonCode, false, CRLReason.lookup(CRLReason.cACompromise));
extGen.addExtension(Extension.certificateIssuer, true, new GeneralNames(new GeneralName(caName)));
builder.addCRLEntry(certificate.getSerialNumber(), new Date(), extGen.generate());
JcaContentSignerBuilder contentSignerBuilder = new JcaContentSignerBuilder("SHA256WithRSAEncryption");
contentSignerBuilder.setProvider("BC");
X509CRLHolder cRLHolder = builder.build(contentSignerBuilder.build(privateKey));
if (!cRLHolder.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider("BC").build(certificate)))
{
fail("CRL signature not valid");
}
X509CRLEntryHolder cRLEntryHolder = cRLHolder.getRevokedCertificate(certificate.getSerialNumber());
if (!cRLEntryHolder.getCertificateIssuer().equals(new GeneralNames(new GeneralName(X500Name.getInstance(certificate.getIssuerX500Principal().getEncoded())))))
{
fail("certificate issuer incorrect");
}
JcaX509CRLConverter converter = new JcaX509CRLConverter();
converter.setProvider("BC");
X509CRL crl = converter.getCRL(cRLHolder);
crl.verify(certificate.getPublicKey());
if (!crl.isRevoked(certificate))
{
fail("Certificate should be revoked");
}
// now encode the CRL and load the CRL with the JCE provider
CertificateFactory fac = CertificateFactory.getInstance("X.509");
X509CRL jceCRL = (X509CRL) fac.generateCRL(new ByteArrayInputStream(crl.getEncoded()));
jceCRL.verify(certificate.getPublicKey());
if (!jceCRL.isRevoked(certificate))
{
fail("This certificate should also be revoked");
}
}
示例14: testIndirect
import org.bouncycastle.asn1.x509.ExtensionsGenerator; //导入方法依赖的package包/类
private void testIndirect()
throws Exception
{
KeyStore keyStore = KeyStore.getInstance("PKCS12", "BC");
ByteArrayInputStream input = new ByteArrayInputStream(testCAp12);
keyStore.load(input, "test".toCharArray());
X509Certificate certificate = (X509Certificate) keyStore.getCertificate("ca");
PrivateKey privateKey = (PrivateKey) keyStore.getKey("ca", null);
X500Name crlIssuer = X500Name.getInstance(PrincipalUtil.getSubjectX509Principal(certificate).getEncoded());
X500Name caName = X500Name.getInstance(PrincipalUtil.getIssuerX509Principal(certificate).getEncoded());
X509v2CRLBuilder builder = new X509v2CRLBuilder(crlIssuer, new Date());
builder.addExtension(Extension.issuingDistributionPoint, true, new IssuingDistributionPoint(null, true, false));
ExtensionsGenerator extGen = new ExtensionsGenerator();
extGen.addExtension(Extension.reasonCode, false, CRLReason.lookup(CRLReason.cACompromise));
extGen.addExtension(Extension.certificateIssuer, true, new GeneralNames(new GeneralName(caName)));
builder.addCRLEntry(certificate.getSerialNumber(), new Date(), extGen.generate());
JcaContentSignerBuilder contentSignerBuilder = new JcaContentSignerBuilder("SHA256WithRSAEncryption");
contentSignerBuilder.setProvider("BC");
X509CRLHolder cRLHolder = builder.build(contentSignerBuilder.build(privateKey));
JcaX509CRLConverter converter = new JcaX509CRLConverter();
converter.setProvider("BC");
X509CRL crl = converter.getCRL(cRLHolder);
crl.verify(certificate.getPublicKey());
if (!crl.isRevoked(certificate))
{
fail("Certificate should be revoked");
}
// now encode the CRL and load the CRL with the JCE provider
CertificateFactory fac = CertificateFactory.getInstance("X.509");
X509CRL jceCRL = (X509CRL) fac.generateCRL(new ByteArrayInputStream(crl.getEncoded()));
jceCRL.verify(certificate.getPublicKey());
if (!jceCRL.isRevoked(certificate))
{
fail("This certificate should also be revoked");
}
}
示例15: testMalformedIndirect
import org.bouncycastle.asn1.x509.ExtensionsGenerator; //导入方法依赖的package包/类
private void testMalformedIndirect()
throws Exception
{
KeyStore keyStore = KeyStore.getInstance("PKCS12", "BC");
ByteArrayInputStream input = new ByteArrayInputStream(testCAp12);
keyStore.load(input, "test".toCharArray());
X509Certificate certificate = (X509Certificate) keyStore.getCertificate("ca");
PrivateKey privateKey = (PrivateKey) keyStore.getKey("ca", null);
X500Name crlIssuer = X500Name.getInstance(PrincipalUtil.getSubjectX509Principal(certificate).getEncoded());
X500Name caName = X500Name.getInstance(PrincipalUtil.getIssuerX509Principal(certificate).getEncoded());
X509v2CRLBuilder builder = new X509v2CRLBuilder(crlIssuer, new Date());
ExtensionsGenerator extGen = new ExtensionsGenerator();
extGen.addExtension(Extension.reasonCode, false, CRLReason.lookup(CRLReason.cACompromise));
extGen.addExtension(Extension.certificateIssuer, true, new GeneralNames(new GeneralName(caName)));
builder.addCRLEntry(certificate.getSerialNumber(), new Date(), extGen.generate());
JcaContentSignerBuilder contentSignerBuilder = new JcaContentSignerBuilder("SHA256WithRSAEncryption");
contentSignerBuilder.setProvider("BC");
X509CRLHolder cRLHolder = builder.build(contentSignerBuilder.build(privateKey));
JcaX509CRLConverter converter = new JcaX509CRLConverter();
converter.setProvider("BC");
X509CRL crl = converter.getCRL(cRLHolder);
crl.verify(certificate.getPublicKey());
if (crl.isRevoked(certificate))
{
throw new Exception("Certificate should not be revoked");
}
}