List of usage examples for java.security.cert Certificate getType
public final String getType()
From source file:org.ejbca.util.CertTools.java
/** * Checks if a certificate is a CA certificate according to BasicConstraints (X.509), or role (CVC). * If there is no basic constraints extension on a X.509 certificate, false is returned. * * @param cert the certificate that skall be checked. * * @return boolean true if the certificate belongs to a CA. *//*from www .jav a 2s.co m*/ public static boolean isCA(Certificate cert) { log.trace(">isCA"); boolean ret = false; if (cert instanceof X509Certificate) { X509Certificate x509cert = (X509Certificate) cert; if (x509cert.getBasicConstraints() > -1) { ret = true; } } else if (StringUtils.equals(cert.getType(), "CVC")) { CardVerifiableCertificate cvccert = (CardVerifiableCertificate) cert; try { CVCAuthorizationTemplate templ = cvccert.getCVCertificate().getCertificateBody() .getAuthorizationTemplate(); AuthorizationRoleEnum role = templ.getAuthorizationField().getRole(); if (role.equals(AuthorizationRoleEnum.CVCA) || role.equals(AuthorizationRoleEnum.DV_D) || role.equals(AuthorizationRoleEnum.DV_F)) { ret = true; } } catch (NoSuchFieldException e) { log.error("NoSuchFieldException: ", e); } } if (log.isTraceEnabled()) { log.trace("<isCA:" + ret); } return ret; }
From source file:org.ejbca.util.CertTools.java
public static Date getNotAfter(Certificate cert) { Date ret = null;//w w w.ja va 2 s . co m if (cert == null) { throw new IllegalArgumentException("getNotAfter: cert is null"); } if (cert instanceof X509Certificate) { X509Certificate xcert = (X509Certificate) cert; ret = xcert.getNotAfter(); } else if (StringUtils.equals(cert.getType(), "CVC")) { CardVerifiableCertificate cvccert = (CardVerifiableCertificate) cert; try { ret = cvccert.getCVCertificate().getCertificateBody().getValidTo(); } catch (NoSuchFieldException e) { // it is not uncommon that this field is missing in CVC certificate requests (it's not in the EAC standard so) log.debug("NoSuchFieldException: " + e.getMessage()); return null; } } return ret; }
From source file:org.ejbca.util.CertTools.java
/** * Checks that the given date is within the certificate's validity period. * In other words, this determines whether the certificate would be valid at the given date/time. * //w ww . ja v a 2 s . c o m * This utility class is only a helper to get the same behavior as the standard java.security.cert API regardless if using X.509 or CV Certificate. * * @param cert certificate to verify, if null the method returns immediately, null does not have a validity to check. * @param date the Date to check against to see if this certificate is valid at that date/time. * @throws NoSuchFieldException * @throws CertificateExpiredException - if the certificate has expired with respect to the date supplied. * @throws CertificateNotYetValidException - if the certificate is not yet valid with respect to the date supplied. * @see java.security.cert.X509Certificate#checkValidity(Date) */ public static void checkValidity(Certificate cert, Date date) throws CertificateExpiredException, CertificateNotYetValidException { if (cert != null) { if (cert instanceof X509Certificate) { X509Certificate xcert = (X509Certificate) cert; xcert.checkValidity(date); } else if (StringUtils.equals(cert.getType(), "CVC")) { CardVerifiableCertificate cvccert = (CardVerifiableCertificate) cert; try { Date start = cvccert.getCVCertificate().getCertificateBody().getValidFrom(); Date end = cvccert.getCVCertificate().getCertificateBody().getValidTo(); if (start.after(date)) { String msg = "Certificate startDate '" + start + "' is after check date '" + date + "'"; if (log.isTraceEnabled()) { log.trace(msg); } throw new CertificateNotYetValidException(msg); } if (end.before(date)) { String msg = "Certificate endDate '" + end + "' is before check date '" + date + "'"; if (log.isTraceEnabled()) { log.trace(msg); } throw new CertificateExpiredException(msg); } } catch (NoSuchFieldException e) { log.error("NoSuchFieldException: ", e); } } } }
From source file:org.ejbca.util.CertTools.java
/** Simple methods that returns the signature algorithm value from the certificate. Not usable for setting * signature algorithms names in EJBCA, only for human presentation. * //from w w w .j a va2 s . c om * @return Signature algorithm from the certificate as a human readable string, for example SHA1WithRSA. */ public static String getCertSignatureAlgorithmAsString(Certificate cert) { String certSignatureAlgorithm = null; if (cert instanceof X509Certificate) { X509Certificate x509cert = (X509Certificate) cert; certSignatureAlgorithm = x509cert.getSigAlgName(); if (log.isDebugEnabled()) { log.debug("certSignatureAlgorithm is: " + certSignatureAlgorithm); } } else if (StringUtils.equals(cert.getType(), "CVC")) { CardVerifiableCertificate cvccert = (CardVerifiableCertificate) cert; CVCPublicKey cvcpk; try { cvcpk = cvccert.getCVCertificate().getCertificateBody().getPublicKey(); OIDField oid = cvcpk.getObjectIdentifier(); certSignatureAlgorithm = AlgorithmUtil.getAlgorithmName(oid); } catch (NoSuchFieldException e) { log.error("NoSuchFieldException: ", e); } } // Try to make it easier to display some signature algorithms that cert.getSigAlgName() does not have a good string for. if (certSignatureAlgorithm.equalsIgnoreCase("1.2.840.113549.1.1.10")) { certSignatureAlgorithm = AlgorithmConstants.SIGALG_SHA256_WITH_RSA_AND_MGF1; } // SHA256WithECDSA does not work to be translated in JDK5. if (certSignatureAlgorithm.equalsIgnoreCase("1.2.840.10045.4.3.2")) { certSignatureAlgorithm = AlgorithmConstants.SIGALG_SHA256_WITH_ECDSA; } return certSignatureAlgorithm; }
From source file:org.ejbca.util.CertTools.java
/** * Dumps a certificate (cvc or x.509) to string format, suitable for manual inspection/debugging. * * @param cert Certificate// ww w . java 2 s. co m * * @return String with cvc or asn.1 dump. */ public static String dumpCertificateAsString(final Certificate cert) { String ret = null; if (cert instanceof X509Certificate) { try { final Certificate c = getCertfromByteArray(cert.getEncoded()); ret = c.toString(); // ASN1InputStream ais = new ASN1InputStream(new ByteArrayInputStream(cert.getEncoded())); // DERObject obj = ais.readObject(); // ret = ASN1Dump.dumpAsString(obj); } catch (CertificateException e) { ret = e.getMessage(); } } else if (StringUtils.equals(cert.getType(), "CVC")) { final CardVerifiableCertificate cvccert = (CardVerifiableCertificate) cert; final CVCObject obj = cvccert.getCVCertificate(); ret = obj.getAsText(""); } else { throw new IllegalArgumentException( "dumpCertificateAsString: Certificate of type " + cert.getType() + " is not implemented"); } return ret; }
From source file:org.cesecore.util.CertTools.java
/** * Method to create certificate path and to check it's validity from a list of certificates. The list of certificates should only contain one root * certificate./*from w w w.jav a2s.c o m*/ * * @param certlist * @return the certificatepath with the root CA at the end * @throws CertPathValidatorException if the certificate chain can not be constructed * @throws InvalidAlgorithmParameterException * @throws NoSuchProviderException * @throws NoSuchAlgorithmException * @throws CertificateException */ public static List<Certificate> createCertChain(Collection<?> certlistin) throws CertPathValidatorException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, NoSuchProviderException, CertificateException { final List<Certificate> returnval = new ArrayList<Certificate>(); Collection<Certificate> certlist = orderCertificateChain(certlistin); // set certificate chain Certificate rootcert = null; ArrayList<Certificate> calist = new ArrayList<Certificate>(); for (Certificate next : certlist) { if (CertTools.isSelfSigned(next)) { rootcert = next; } else { calist.add(next); } } if (calist.isEmpty()) { // only one root cert, no certchain returnval.add(rootcert); } else { // We need a bit special handling for CV certificates because those can not be handled using a PKIX CertPathValidator Certificate test = calist.get(0); if (test.getType().equals("CVC")) { if (calist.size() == 1) { returnval.add(test); returnval.add(rootcert); } else { throw new CertPathValidatorException( "CVC certificate chain can not be of length longer than two."); } } else { // Normal X509 certificates HashSet<TrustAnchor> trustancors = new HashSet<TrustAnchor>(); TrustAnchor trustanchor = null; trustanchor = new TrustAnchor((X509Certificate) rootcert, null); trustancors.add(trustanchor); // Create the parameters for the validator PKIXParameters params = new PKIXParameters(trustancors); // Disable CRL checking since we are not supplying any CRLs params.setRevocationEnabled(false); params.setDate(new Date()); // Create the validator and validate the path CertPathValidator certPathValidator = CertPathValidator .getInstance(CertPathValidator.getDefaultType(), "BC"); CertificateFactory fact = CertTools.getCertificateFactory(); CertPath certpath = fact.generateCertPath(calist); CertPathValidatorResult result = certPathValidator.validate(certpath, params); // Get the certificates validate in the path PKIXCertPathValidatorResult pkixResult = (PKIXCertPathValidatorResult) result; returnval.addAll(certpath.getCertificates()); // Get the CA used to validate this path TrustAnchor ta = pkixResult.getTrustAnchor(); X509Certificate cert = ta.getTrustedCert(); returnval.add(cert); } } return returnval; }
From source file:org.ejbca.util.CertTools.java
/** * Gets subject or issuer DN in the format we are sure about (BouncyCastle),supporting UTF8. * * @param cert X509Certificate//from w ww. j a v a2s. com * @param which 1 = subjectDN, anything else = issuerDN * * @return String containing the DN. */ private static String getDN(Certificate cert, int which) { /*if (log.isTraceEnabled()) { log.trace(">getDN("+which+")"); }*/ String ret = null; if (cert == null) { return null; } if (cert instanceof X509Certificate) { // cert.getType=X.509 try { CertificateFactory cf = CertTools.getCertificateFactory(); X509Certificate x509cert = (X509Certificate) cf .generateCertificate(new ByteArrayInputStream(cert.getEncoded())); //log.debug("Created certificate of class: " + x509cert.getClass().getName()); String dn = null; if (which == 1) { dn = x509cert.getSubjectDN().toString(); } else { dn = x509cert.getIssuerDN().toString(); } ret = stringToBCDNString(dn); } catch (CertificateException ce) { log.info("Could not get DN from X509Certificate. " + ce.getMessage()); log.debug("", ce); return null; } } else if (StringUtils.equals(cert.getType(), "CVC")) { CardVerifiableCertificate cvccert = (CardVerifiableCertificate) cert; try { ReferenceField rf = null; if (which == 1) { rf = cvccert.getCVCertificate().getCertificateBody().getHolderReference(); } else { rf = cvccert.getCVCertificate().getCertificateBody().getAuthorityReference(); } if (rf != null) { // Construct a "fake" DN which can be used in EJBCA // Use only mnemonic and country, since sequence is more of a serialnumber than a DN part String dn = ""; // if (rf.getSequence() != null) { // dn += "SERIALNUMBER="+rf.getSequence(); // } if (rf.getMnemonic() != null) { if (StringUtils.isNotEmpty(dn)) { dn += ", "; } dn += "CN=" + rf.getMnemonic(); } if (rf.getCountry() != null) { if (StringUtils.isNotEmpty(dn)) { dn += ", "; } dn += "C=" + rf.getCountry(); } ret = stringToBCDNString(dn); } } catch (NoSuchFieldException e) { log.error("NoSuchFieldException: ", e); return null; } } /*if (log.isTraceEnabled()) { log.trace("<getDN("+which+"):"+dn); }*/ return ret; }
From source file:org.cesecore.util.CertTools.java
/** * Gets the signature value (the raw signature bits) from the certificate. For an X509 certificate this is the ASN.1 definition which is: * signature BIT STRING//ww w. ja va2 s.c o m * * @param cert Certificate * * @return byte[] containing the certificate signature bits, if cert is null a byte[] of size 0 is returned. */ public static byte[] getSignature(Certificate cert) { byte[] ret = null; if (cert == null) { ret = new byte[0]; } else { if (cert instanceof X509Certificate) { X509Certificate xcert = (X509Certificate) cert; ret = xcert.getSignature(); } else if (StringUtils.equals(cert.getType(), "CVC")) { CardVerifiableCertificate cvccert = (CardVerifiableCertificate) cert; try { ret = cvccert.getCVCertificate().getSignature(); } catch (NoSuchFieldException e) { log.error("NoSuchFieldException: ", e); return null; } } } return ret; }
From source file:org.cesecore.util.CertTools.java
/** * Gets Serial number of the certificate. * /*from w w w . j a v a 2 s .c o m*/ * @param cert Certificate * * @return BigInteger containing the certificate serial number. Can be 0 for CVC certificates with alphanumeric serial numbers if the sequence * does not contain any number characters at all. * @throws IllegalArgumentException if null input of certificate type is not handled */ public static BigInteger getSerialNumber(Certificate cert) { if (cert == null) { throw new IllegalArgumentException("Null input"); } BigInteger ret = null; if (cert instanceof X509Certificate) { X509Certificate xcert = (X509Certificate) cert; ret = xcert.getSerialNumber(); } else if (StringUtils.equals(cert.getType(), "CVC")) { // For CVC certificates the sequence field of the HolderReference is kind of a serial number, // but if can be alphanumeric which means it can not be made into a BigInteger CardVerifiableCertificate cvccert = (CardVerifiableCertificate) cert; try { String sequence = cvccert.getCVCertificate().getCertificateBody().getHolderReference() .getSequence(); ret = getSerialNumberFromString(sequence); } catch (NoSuchFieldException e) { log.error("getSerialNumber: NoSuchFieldException: ", e); ret = BigInteger.valueOf(0); } } else { throw new IllegalArgumentException( "getSerialNumber: Certificate of type " + cert.getType() + " is not implemented"); } return ret; }
From source file:org.cesecore.util.CertTools.java
public static Date getNotBefore(Certificate cert) { Date ret = null;/*from w ww . ja va 2s. c o m*/ if (cert == null) { throw new IllegalArgumentException("getNotBefore: cert is null"); } if (cert instanceof X509Certificate) { X509Certificate xcert = (X509Certificate) cert; ret = xcert.getNotBefore(); } else if (StringUtils.equals(cert.getType(), "CVC")) { CardVerifiableCertificate cvccert = (CardVerifiableCertificate) cert; try { ret = cvccert.getCVCertificate().getCertificateBody().getValidFrom(); } catch (NoSuchFieldException e) { // it is not uncommon that this field is missing in CVC certificate requests (it's not in the EAC standard so) log.debug("NoSuchFieldException: " + e.getMessage()); return null; } } return ret; }