List of usage examples for org.bouncycastle.asn1 DEROctetString getOctets
public byte[] getOctets()
From source file:be.fedict.eid.applet.service.signer.time.TSPTimeStampService.java
License:Open Source License
private byte[] getAuthorityKeyId(X509Certificate cert) throws IOException { byte[] extvalue = cert.getExtensionValue(X509Extensions.AuthorityKeyIdentifier.getId()); if (extvalue == null) { return null; }// w ww . j a v a2 s . co m DEROctetString oct = (DEROctetString) (new ASN1InputStream(new ByteArrayInputStream(extvalue)) .readObject()); AuthorityKeyIdentifier keyId = new AuthorityKeyIdentifier( (ASN1Sequence) new ASN1InputStream(new ByteArrayInputStream(oct.getOctets())).readObject()); return keyId.getKeyIdentifier(); }
From source file:be.fedict.eid.dss.model.bean.TrustValidationServiceBean.java
License:Open Source License
private byte[] getAuthorityKeyId(X509Certificate cert) throws IOException { byte[] extvalue = cert.getExtensionValue(X509Extensions.AuthorityKeyIdentifier.getId()); if (extvalue == null) { return null; }/*from w w w.j ava 2 s .c o m*/ DEROctetString oct = (DEROctetString) (new ASN1InputStream(new ByteArrayInputStream(extvalue)) .readObject()); /*AuthorityKeyIdentifier keyId = new AuthorityKeyIdentifier( (ASN1Sequence) new ASN1InputStream(new ByteArrayInputStream( oct.getOctets())).readObject());*/ AuthorityKeyIdentifier keyId = new AuthorityKeyIdentifier(oct.getOctets()); return keyId.getKeyIdentifier(); }
From source file:be.fedict.eid.pkira.crypto.csr.CSRInfo.java
License:Open Source License
public List<String> getSubjectAlternativeNames() throws CryptoException { List<String> result = new ArrayList<String>(); ASN1Set attributes = certificationRequest.getCertificationRequestInfo().getAttributes(); for (DERSet extension : getElementsFromASN1Set(attributes, CSR_EXTENSION_ATTRIBUTE_ID, DERSet.class)) { for (DEROctetString extensionValue : getElementsFromASN1Set(extension, X509Extension.subjectAlternativeName, DEROctetString.class)) { try { ASN1Object bytes = ASN1Object.fromByteArray(extensionValue.getOctets()); GeneralNames names = GeneralNames.getInstance(bytes); for (GeneralName name : names.getNames()) { if (name.getTagNo() == GeneralName.dNSName) { String theName = name.getName().toString(); if (theName.indexOf('*') != -1) { throw new CryptoException( "Subject Alternative Names are not allowed to contain wildcards."); }/*w ww . ja v a 2s . c om*/ result.add(theName); } else { throw new CryptoException( "Only Subject Alternative Name of type DNS is allowed in the CSR."); } } } catch (IOException e) { throw new CryptoException("Could not extract SAN value.", e); } } } return result; }
From source file:be.fedict.eid.tsl.Tsl2PdfExporter.java
License:Open Source License
private byte[] getAKId(final X509Certificate cert) throws IOException { final byte[] extValue = cert.getExtensionValue(X509Extensions.AuthorityKeyIdentifier.getId()); if (extValue != null) { final DEROctetString oct = (DEROctetString) (new ASN1InputStream(new ByteArrayInputStream(extValue)) .readObject());//from www . j a v a 2s.co m final AuthorityKeyIdentifier keyId = new AuthorityKeyIdentifier( (ASN1Sequence) new ASN1InputStream(new ByteArrayInputStream(oct.getOctets())).readObject()); return keyId.getKeyIdentifier(); } else { return null; } }
From source file:be.fedict.eid.tsl.Tsl2PdfExporter.java
License:Open Source License
private static List<String> getCrlDistributionPoints(final X509Certificate cert) throws IOException { final byte[] extValue = cert.getExtensionValue(X509Extensions.CRLDistributionPoints.getId()); if (extValue != null) { final ASN1InputStream oAsnInStream = new ASN1InputStream(new ByteArrayInputStream(extValue)); final DERObject derObj = oAsnInStream.readObject(); final DEROctetString dos = (DEROctetString) derObj; final byte[] val2 = dos.getOctets(); final ASN1InputStream oAsnInStream2 = new ASN1InputStream(new ByteArrayInputStream(val2)); final DERObject derObj2 = oAsnInStream2.readObject(); return getDERValue(derObj2); } else {//ww w . jav a2s . com return Collections.emptyList(); } }
From source file:be.fedict.eid.tsl.Tsl2PdfExporter.java
License:Open Source License
@SuppressWarnings("unchecked") private static List<String> getDERValue(final DERObject derObj) { if (derObj instanceof DERSequence) { final List<String> ret = new LinkedList<String>(); final DERSequence seq = (DERSequence) derObj; final Enumeration<DERObject> enum1 = seq.getObjects(); while (enum1.hasMoreElements()) { final DERObject nestedObj = (DERObject) enum1.nextElement(); final List<String> appo = getDERValue(nestedObj); if (appo != null) { ret.addAll(appo);/*from w ww . j a va 2 s .c om*/ } } return ret; } if (derObj instanceof DERTaggedObject) { final DERTaggedObject derTag = (DERTaggedObject) derObj; if (derTag.isExplicit() && !derTag.isEmpty()) { final DERObject nestedObj = derTag.getObject(); return getDERValue(nestedObj); } else { final DEROctetString derOct = (DEROctetString) derTag.getObject(); final String val = new String(derOct.getOctets()); return Collections.singletonList(val); } } return null; }
From source file:be.fedict.trust.constraints.CertificatePoliciesCertificateConstraint.java
License:Open Source License
@Override public void check(X509Certificate certificate) throws TrustLinkerResultException, Exception { byte[] extensionValue = certificate.getExtensionValue(Extension.certificatePolicies.getId()); if (null == extensionValue) { throw new TrustLinkerResultException(TrustLinkerResultReason.CONSTRAINT_VIOLATION, "missing certificate policies X509 extension"); }//from ww w. j a v a 2 s . c o m DEROctetString oct = (DEROctetString) (new ASN1InputStream(new ByteArrayInputStream(extensionValue)) .readObject()); ASN1Sequence certPolicies = (ASN1Sequence) new ASN1InputStream(oct.getOctets()).readObject(); Enumeration<?> certPoliciesEnum = certPolicies.getObjects(); while (certPoliciesEnum.hasMoreElements()) { PolicyInformation policyInfo = PolicyInformation.getInstance(certPoliciesEnum.nextElement()); ASN1ObjectIdentifier policyOid = policyInfo.getPolicyIdentifier(); String policyId = policyOid.getId(); LOG.debug("present policy OID: " + policyId); if (this.certificatePolicies.contains(policyId)) { LOG.debug("matching certificate policy OID: " + policyId); return; } } throw new TrustLinkerResultException(TrustLinkerResultReason.CONSTRAINT_VIOLATION, "required policy OID not present"); }
From source file:be.fedict.trust.constraints.QCStatementsCertificateConstraint.java
License:Open Source License
@Override public void check(X509Certificate certificate) throws TrustLinkerResultException, Exception { byte[] extensionValue = certificate.getExtensionValue(Extension.qCStatements.getId()); if (null == extensionValue) { throw new TrustLinkerResultException(TrustLinkerResultReason.CONSTRAINT_VIOLATION, "missing QCStatements extension"); }/*w w w .j a v a2s .c o m*/ DEROctetString oct = (DEROctetString) (new ASN1InputStream(new ByteArrayInputStream(extensionValue)) .readObject()); ASN1Sequence qcStatements = (ASN1Sequence) new ASN1InputStream(oct.getOctets()).readObject(); Enumeration<?> qcStatementEnum = qcStatements.getObjects(); boolean qcCompliance = false; boolean qcSSCD = false; while (qcStatementEnum.hasMoreElements()) { QCStatement qcStatement = QCStatement.getInstance(qcStatementEnum.nextElement()); ASN1ObjectIdentifier statementId = qcStatement.getStatementId(); LOG.debug("statement Id: " + statementId.getId()); if (QCStatement.id_etsi_qcs_QcCompliance.equals(statementId)) { qcCompliance = true; } if (QCStatement.id_etsi_qcs_QcSSCD.equals(statementId)) { qcSSCD = true; } } if (null != this.qcComplianceFilter) { if (qcCompliance != this.qcComplianceFilter) { LOG.error("qcCompliance QCStatements error"); throw new TrustLinkerResultException(TrustLinkerResultReason.CONSTRAINT_VIOLATION, "QCStatements not matching"); } } if (null != this.qcSSCDFilter) { if (qcSSCD != this.qcSSCDFilter) { LOG.error("qcSSCD QCStatements error"); throw new TrustLinkerResultException(TrustLinkerResultReason.CONSTRAINT_VIOLATION, "QCStatements not matching"); } } }
From source file:be.fedict.trust.crl.CrlTrustLinker.java
License:Open Source License
@Override public TrustLinkerResult hasTrustLink(X509Certificate childCertificate, X509Certificate certificate, Date validationDate, RevocationData revocationData, AlgorithmPolicy algorithmPolicy) throws TrustLinkerResultException, Exception { URI crlUri = getCrlUri(childCertificate); if (null == crlUri) { LOG.debug("no CRL uri in certificate: " + childCertificate.getSubjectX500Principal()); return TrustLinkerResult.UNDECIDED; }//from www .j a v a2 s . c om LOG.debug("CRL URI: " + crlUri); X509CRL x509crl = this.crlRepository.findCrl(crlUri, certificate, validationDate); if (null == x509crl) { LOG.debug("CRL not found"); return TrustLinkerResult.UNDECIDED; } // check CRL integrity boolean crlIntegrityResult = checkCrlIntegrity(x509crl, certificate, validationDate); if (false == crlIntegrityResult) { LOG.debug("CRL integrity check failed"); return TrustLinkerResult.UNDECIDED; } // check CRL signature algorithm algorithmPolicy.checkSignatureAlgorithm(x509crl.getSigAlgOID(), validationDate); // we don't support indirect CRLs if (isIndirectCRL(x509crl)) { LOG.debug("indirect CRL detected"); return TrustLinkerResult.UNDECIDED; } LOG.debug("CRL number: " + getCrlNumber(x509crl)); // fill up revocation data if not null with this valid CRL if (null != revocationData) { try { CRLRevocationData crlRevocationData = new CRLRevocationData(x509crl.getEncoded(), crlUri.toString()); revocationData.getCrlRevocationData().add(crlRevocationData); } catch (CRLException e) { LOG.error("CRLException: " + e.getMessage(), e); throw new TrustLinkerResultException(TrustLinkerResultReason.UNSPECIFIED, "CRLException : " + e.getMessage(), e); } } X509CRLEntry crlEntry = x509crl.getRevokedCertificate(childCertificate.getSerialNumber()); if (null == crlEntry) { LOG.debug("CRL OK for: " + childCertificate.getSubjectX500Principal()); return TrustLinkerResult.TRUSTED; } else if (crlEntry.getRevocationDate().after(validationDate)) { LOG.debug("CRL OK for: " + childCertificate.getSubjectX500Principal() + " at " + validationDate); return TrustLinkerResult.TRUSTED; } LOG.debug("certificate revoked/suspended at: " + crlEntry.getRevocationDate()); if (crlEntry.hasExtensions()) { LOG.debug("critical extensions: " + crlEntry.getCriticalExtensionOIDs()); LOG.debug("non-critical extensions: " + crlEntry.getNonCriticalExtensionOIDs()); byte[] reasonCodeExtension = crlEntry.getExtensionValue(Extension.reasonCode.getId()); if (null != reasonCodeExtension) { try { DEROctetString octetString = (DEROctetString) (new ASN1InputStream( new ByteArrayInputStream(reasonCodeExtension)).readObject()); byte[] octets = octetString.getOctets(); CRLReason crlReason = CRLReason .getInstance(ASN1Enumerated.getInstance(new ASN1InputStream(octets).readObject())); BigInteger crlReasonValue = crlReason.getValue(); LOG.debug("CRL reason value: " + crlReasonValue); switch (crlReasonValue.intValue()) { case CRLReason.certificateHold: throw new TrustLinkerResultException(TrustLinkerResultReason.INVALID_REVOCATION_STATUS, "certificate suspended by CRL=" + crlEntry.getSerialNumber()); } } catch (IOException e) { throw new TrustLinkerResultException(TrustLinkerResultReason.UNSPECIFIED, "IO error: " + e.getMessage(), e); } } } throw new TrustLinkerResultException(TrustLinkerResultReason.INVALID_REVOCATION_STATUS, "certificate revoked by CRL=" + crlEntry.getSerialNumber()); }
From source file:be.fedict.trust.crl.CrlTrustLinker.java
License:Open Source License
/** * Gives back the CRL URI meta-data found within the given X509 certificate. * /*from w ww . jav a 2 s. c om*/ * @param certificate * the X509 certificate. * @return the CRL URI, or <code>null</code> if the extension is not * present. */ public static URI getCrlUri(X509Certificate certificate) { byte[] crlDistributionPointsValue = certificate.getExtensionValue(Extension.cRLDistributionPoints.getId()); if (null == crlDistributionPointsValue) { return null; } ASN1Sequence seq; try { DEROctetString oct; oct = (DEROctetString) (new ASN1InputStream(new ByteArrayInputStream(crlDistributionPointsValue)) .readObject()); seq = (ASN1Sequence) new ASN1InputStream(oct.getOctets()).readObject(); } catch (IOException e) { throw new RuntimeException("IO error: " + e.getMessage(), e); } CRLDistPoint distPoint = CRLDistPoint.getInstance(seq); DistributionPoint[] distributionPoints = distPoint.getDistributionPoints(); for (DistributionPoint distributionPoint : distributionPoints) { DistributionPointName distributionPointName = distributionPoint.getDistributionPoint(); if (DistributionPointName.FULL_NAME != distributionPointName.getType()) { continue; } GeneralNames generalNames = (GeneralNames) distributionPointName.getName(); GeneralName[] names = generalNames.getNames(); for (GeneralName name : names) { if (name.getTagNo() != GeneralName.uniformResourceIdentifier) { LOG.debug("not a uniform resource identifier"); continue; } DERIA5String derStr = DERIA5String.getInstance(name.getName()); String str = derStr.getString(); if (false == str.startsWith("http")) { /* * skip ldap:// protocols */ LOG.debug("not HTTP/HTTPS: " + str); continue; } URI uri = toURI(str); return uri; } } return null; }