List of usage examples for org.bouncycastle.asn1 DEROctetString getOctets
public byte[] getOctets()
From source file:net.sf.dsig.verify.X509CRLHelper.java
License:Apache License
/** * Retrieve the CRL URI distribution point from an X.509 certificate, using * the 2.5.29.31 extension value/* w w w . j ava 2s . c o m*/ * * @param certificate an {@link X509Certificate} object * @return a String containing the URI of the CRL distribution point, or * null if none can be found */ public static String getCRLDistributionPointUri(X509Certificate certificate) { byte[] derCdpBytes = certificate.getExtensionValue(OID_CRLDISTRIBUTIONPOINTS); if (derCdpBytes == null) { return null; } try { ASN1InputStream ais = new ASN1InputStream(derCdpBytes); DEROctetString dos = (DEROctetString) ais.readObject(); ais.close(); ais = new ASN1InputStream(dos.getOctets()); DERSequence seq = (DERSequence) ais.readObject(); ais.close(); CRLDistPoint cdp = new CRLDistPoint(seq); for (int i = 0; i < cdp.getDistributionPoints().length; i++) { DistributionPoint dp = cdp.getDistributionPoints()[i]; DistributionPointName dpn = dp.getDistributionPoint(); GeneralNames gns = (GeneralNames) dpn.getName(); for (int j = 0; j < gns.getNames().length; j++) { GeneralName gn = gns.getNames()[j]; if (gn.getTagNo() == GeneralName.uniformResourceIdentifier) { return ((DERString) gn.getName()).getString(); } } } } catch (IOException e) { logger.warn("ASN.1 decoding failed; will fall back to default CRL DistributionPoint, if set"); } return null; }
From source file:net.sf.portecle.crypto.X509Ext.java
License:Open Source License
/** * Get Microsoft Previous CA Certificate Hash (1.3.6.1.4.1.311.21.2) extension value as a string. * //w w w . ja v a2 s. com * @see <a href="http://support.microsoft.com/?id=287547">Microsoft support</a> * @param bValue The octet string value * @return Extension value as a string * @throws IOException If an I/O problem occurs */ private String getMicrosoftPreviousCACertificateHashStringValue(byte[] bValue) throws IOException { DEROctetString derOctetStr = (DEROctetString) ASN1Primitive.fromByteArray(bValue); byte[] bKeyIdent = derOctetStr.getOctets(); return convertToHexString(bKeyIdent); }
From source file:org.apache.cxf.ws.security.sts.provider.cert.CRLVerifier.java
License:Apache License
/** * Extracts all CRL distribution point URLs from the * "CRL Distribution Point" extension in a X.509 certificate. If CRL * distribution point extension is unavailable, returns an empty list. */// w w w . j a v a2 s . c o m public static List<String> getCrlDistributionPoints(X509Certificate cert) throws CertificateParsingException, IOException { byte[] crldpExt = cert.getExtensionValue(X509Extensions.CRLDistributionPoints.getId()); if (crldpExt == null) { List<String> emptyList = new ArrayList<String>(); return emptyList; } ASN1InputStream oAsnInStream = new ASN1InputStream(new ByteArrayInputStream(crldpExt)); DERObject derObjCrlDP = oAsnInStream.readObject(); DEROctetString dosCrlDP = (DEROctetString) derObjCrlDP; byte[] crldpExtOctets = dosCrlDP.getOctets(); ASN1InputStream oAsnInStream2 = new ASN1InputStream(new ByteArrayInputStream(crldpExtOctets)); DERObject derObj2 = oAsnInStream2.readObject(); CRLDistPoint distPoint = CRLDistPoint.getInstance(derObj2); List<String> crlUrls = new ArrayList<String>(); for (DistributionPoint dp : distPoint.getDistributionPoints()) { DistributionPointName dpn = dp.getDistributionPoint(); // Look for URIs in fullName if (dpn != null) { if (dpn.getType() == DistributionPointName.FULL_NAME) { GeneralName[] genNames = GeneralNames.getInstance(dpn.getName()).getNames(); // Look for an URI for (int j = 0; j < genNames.length; j++) { if (genNames[j].getTagNo() == GeneralName.uniformResourceIdentifier) { String url = DERIA5String.getInstance(genNames[j].getName()).getString(); crlUrls.add(url); } } } } } return crlUrls; }
From source file:org.apache.synapse.transport.certificatevalidation.crl.CRLVerifier.java
License:Apache License
/** * Extracts all CRL distribution point URLs from the "CRL Distribution Point" * extension in a X.509 certificate. If CRL distribution point extension is * unavailable, returns an empty list.//from w ww . j a v a2s . c o m */ private List<String> getCrlDistributionPoints(X509Certificate cert) throws CertificateVerificationException { //Gets the DER-encoded OCTET string for the extension value for CRLDistributionPoints byte[] crlDPExtensionValue = cert.getExtensionValue(X509Extensions.CRLDistributionPoints.getId()); if (crlDPExtensionValue == null) throw new CertificateVerificationException("Certificate doesn't have CRL Distribution points"); //crlDPExtensionValue is encoded in ASN.1 format. ASN1InputStream asn1In = new ASN1InputStream(crlDPExtensionValue); //DER (Distinguished Encoding Rules) is one of ASN.1 encoding rules defined in ITU-T X.690, 2002, specification. //ASN.1 encoding rules can be used to encode any data object into a binary file. Read the object in octets. CRLDistPoint distPoint; try { DEROctetString crlDEROctetString = (DEROctetString) asn1In.readObject(); //Get Input stream in octets ASN1InputStream asn1InOctets = new ASN1InputStream(crlDEROctetString.getOctets()); DERObject crlDERObject = asn1InOctets.readObject(); distPoint = CRLDistPoint.getInstance(crlDERObject); } catch (IOException e) { throw new CertificateVerificationException("Cannot read certificate to get CRL urls", e); } List<String> crlUrls = new ArrayList<String>(); //Loop through ASN1Encodable DistributionPoints for (DistributionPoint dp : distPoint.getDistributionPoints()) { //get ASN1Encodable DistributionPointName DistributionPointName dpn = dp.getDistributionPoint(); if (dpn != null && dpn.getType() == DistributionPointName.FULL_NAME) { //Create ASN1Encodable General Names GeneralName[] genNames = GeneralNames.getInstance(dpn.getName()).getNames(); // Look for a URI //todo: May be able to check for OCSP url specifically. for (GeneralName genName : genNames) { if (genName.getTagNo() == GeneralName.uniformResourceIdentifier) { //DERIA5String contains an ascii string. //A IA5String is a restricted character string type in the ASN.1 notation String url = DERIA5String.getInstance(genName.getName()).getString().trim(); crlUrls.add(url); } } } } if (crlUrls.isEmpty()) throw new CertificateVerificationException("Cant get CRL urls from certificate"); return crlUrls; }
From source file:org.apache.synapse.transport.certificatevalidation.ocsp.OCSPVerifier.java
License:Apache License
/** * Authority Information Access (AIA) is a non-critical extension in an X509 Certificate. This contains the * URL of the OCSP endpoint if one is available. * TODO: This might contain non OCSP urls as well. Handle this. * * @param cert is the certificate/*from w w w. j a v a 2 s . c o m*/ * @return a lit of URLs in AIA extension of the certificate which will hopefully contain an OCSP endpoint. * @throws CertificateVerificationException * */ private List<String> getAIALocations(X509Certificate cert) throws CertificateVerificationException { //Gets the DER-encoded OCTET string for the extension value for Authority information access Points byte[] aiaExtensionValue = cert.getExtensionValue(X509Extensions.AuthorityInfoAccess.getId()); if (aiaExtensionValue == null) throw new CertificateVerificationException( "Certificate Doesnt have Authority Information Access points"); //might have to pass an ByteArrayInputStream(aiaExtensionValue) ASN1InputStream asn1In = new ASN1InputStream(aiaExtensionValue); AuthorityInformationAccess authorityInformationAccess; try { DEROctetString aiaDEROctetString = (DEROctetString) (asn1In.readObject()); ASN1InputStream asn1Inoctets = new ASN1InputStream(aiaDEROctetString.getOctets()); ASN1Sequence aiaASN1Sequence = (ASN1Sequence) asn1Inoctets.readObject(); authorityInformationAccess = new AuthorityInformationAccess(aiaASN1Sequence); } catch (IOException e) { throw new CertificateVerificationException("Cannot read certificate to get OSCP urls", e); } List<String> ocspUrlList = new ArrayList<String>(); AccessDescription[] accessDescriptions = authorityInformationAccess.getAccessDescriptions(); for (AccessDescription accessDescription : accessDescriptions) { GeneralName gn = accessDescription.getAccessLocation(); if (gn.getTagNo() == GeneralName.uniformResourceIdentifier) { DERIA5String str = DERIA5String.getInstance(gn.getName()); String accessLocation = str.getString(); ocspUrlList.add(accessLocation); } } if (ocspUrlList.isEmpty()) throw new CertificateVerificationException("Cant get OCSP urls from certificate"); return ocspUrlList; }
From source file:org.apache.synapse.transport.utils.sslcert.crl.CRLVerifier.java
License:Apache License
/** * Extracts all CRL distribution point URLs from the "CRL Distribution Point" * extension in a X.509 certificate. If CRL distribution point extension is * unavailable, returns an empty list.// www .j av a 2 s . c o m */ private List<String> getCrlDistributionPoints(X509Certificate cert) throws CertificateVerificationException { //Gets the DER-encoded OCTET string for the extension value for CRLDistributionPoints byte[] crlDPExtensionValue = cert.getExtensionValue(X509Extensions.CRLDistributionPoints.getId()); if (crlDPExtensionValue == null) throw new CertificateVerificationException("Certificate doesn't have CRL " + "distribution points"); //crlDPExtensionValue is encoded in ASN.1 format. ASN1InputStream asn1In = new ASN1InputStream(crlDPExtensionValue); // DER (Distinguished Encoding Rules) is one of ASN.1 encoding rules defined in ITU-T X.690, // 2002, specification. ASN.1 encoding rules can be used to encode any data object into a // binary file. Read the object in octets. CRLDistPoint distPoint; try { DEROctetString crlDEROctetString = (DEROctetString) asn1In.readObject(); //Get Input stream in octets ASN1InputStream asn1InOctets = new ASN1InputStream(crlDEROctetString.getOctets()); ASN1Primitive asn1Primitive = asn1InOctets.readObject(); distPoint = CRLDistPoint.getInstance(asn1Primitive); } catch (IOException e) { throw new CertificateVerificationException("Cannot read certificate to get CRL urls", e); } List<String> crlUrls = new ArrayList<String>(); //Loop through ASN1Encodable DistributionPoints for (DistributionPoint dp : distPoint.getDistributionPoints()) { //get ASN1Encodable DistributionPointName DistributionPointName dpn = dp.getDistributionPoint(); if (dpn != null && dpn.getType() == DistributionPointName.FULL_NAME) { //Create ASN1Encodable General Names GeneralName[] genNames = GeneralNames.getInstance(dpn.getName()).getNames(); // Look for a URI //todo: May be able to check for OCSP url specifically. for (GeneralName genName : genNames) { if (genName.getTagNo() == GeneralName.uniformResourceIdentifier) { //DERIA5String contains an ascii string. //A IA5String is a restricted character string type in the ASN.1 notation String url = DERIA5String.getInstance(genName.getName()).getString().trim(); crlUrls.add(url); } } } } if (crlUrls.isEmpty()) { throw new CertificateVerificationException("Cant get CRL urls from certificate"); } return crlUrls; }
From source file:org.apache.synapse.transport.utils.sslcert.ocsp.OCSPVerifier.java
License:Apache License
/** * Authority Information Access (AIA) is a non-critical extension in an X509 Certificate. This contains the * URL of the OCSP endpoint if one is available. * TODO: This might contain non OCSP urls as well. Handle this. * * @param cert is the certificate//from w ww . j a va2 s .c o m * @return a lit of URLs in AIA extension of the certificate which will hopefully contain an OCSP endpoint. * @throws CertificateVerificationException * */ private List<String> getAIALocations(X509Certificate cert) throws CertificateVerificationException { //Gets the DER-encoded OCTET string for the extension value for Authority information access Points byte[] aiaExtensionValue = cert.getExtensionValue(X509Extensions.AuthorityInfoAccess.getId()); if (aiaExtensionValue == null) { throw new CertificateVerificationException( "Certificate doesn't have authority " + "information access points"); } //might have to pass an ByteArrayInputStream(aiaExtensionValue) ASN1InputStream asn1In = new ASN1InputStream(aiaExtensionValue); AuthorityInformationAccess authorityInformationAccess; try { DEROctetString aiaDEROctetString = (DEROctetString) (asn1In.readObject()); ASN1InputStream asn1InOctets = new ASN1InputStream(aiaDEROctetString.getOctets()); ASN1Sequence aiaASN1Sequence = (ASN1Sequence) asn1InOctets.readObject(); authorityInformationAccess = AuthorityInformationAccess.getInstance(aiaASN1Sequence); } catch (IOException e) { throw new CertificateVerificationException("Cannot read certificate to get OCSP URLs", e); } List<String> ocspUrlList = new ArrayList<String>(); AccessDescription[] accessDescriptions = authorityInformationAccess.getAccessDescriptions(); for (AccessDescription accessDescription : accessDescriptions) { GeneralName gn = accessDescription.getAccessLocation(); if (gn.getTagNo() == GeneralName.uniformResourceIdentifier) { DERIA5String str = DERIA5String.getInstance(gn.getName()); String accessLocation = str.getString(); ocspUrlList.add(accessLocation); } } if (ocspUrlList.isEmpty()) { throw new CertificateVerificationException("Cant get OCSP urls from certificate"); } return ocspUrlList; }
From source file:org.aselect.authspserver.authsp.pki.PKIManager.java
License:Open Source License
/** * private Helper function for DER Decoding. <br> * <br>// w w w . j a v a 2s . com * * @param derObject * the der object * @return a DER object * @throws ASelectException * the a select exception */ private Vector getOctetValues(DERObject derObject) throws ASelectException { String sMethod = "getOctetValues(DERObject derObject)"; Vector vDerValues = new Vector(); if (derObject == null) { _systemLogger.log(Level.WARNING, MODULE, sMethod, "Supplied derObject is null"); throw new ASelectException(Errors.PKI_INTERNAL_SERVER_ERROR); } else if (derObject instanceof DERSequence) { Enumeration enumDerObjects = ((DERSequence) derObject).getObjects(); while (enumDerObjects.hasMoreElements()) { DERObject nestedDerObject = (DERObject) enumDerObjects.nextElement(); vDerValues.addAll(getOctetValues(nestedDerObject)); } } else if (derObject instanceof DERTaggedObject) { DERTaggedObject derTaggedObject = (DERTaggedObject) derObject; if (derTaggedObject.isExplicit() && !derTaggedObject.isEmpty()) { DERObject nestedDerObject = derTaggedObject.getObject(); vDerValues = getOctetValues(nestedDerObject); } else { DEROctetString derOctetString = (DEROctetString) derTaggedObject.getObject(); byte[] octetValue = derOctetString.getOctets(); vDerValues = new Vector(); vDerValues.add(octetValue); } } return vDerValues; }
From source file:org.candlepin.util.X509CRLStreamWriter.java
License:Open Source License
protected void writeToEmptyCrl(OutputStream out) throws IOException { ASN1InputStream asn1in = null; try {/* w w w. java 2s. c o m*/ asn1in = new ASN1InputStream(crlIn); DERSequence certListSeq = (DERSequence) asn1in.readObject(); CertificateList certList = new CertificateList(certListSeq); X509CRLHolder oldCrl = new X509CRLHolder(certList); X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(oldCrl.getIssuer(), new Date()); crlBuilder.addCRL(oldCrl); Date now = new Date(); Date oldNextUpdate = certList.getNextUpdate().getDate(); Date oldThisUpdate = certList.getThisUpdate().getDate(); Date nextUpdate = new Date(now.getTime() + (oldNextUpdate.getTime() - oldThisUpdate.getTime())); crlBuilder.setNextUpdate(nextUpdate); for (Object o : oldCrl.getExtensionOIDs()) { ASN1ObjectIdentifier oid = (ASN1ObjectIdentifier) o; X509Extension ext = oldCrl.getExtension(oid); if (oid.equals(X509Extension.cRLNumber)) { DEROctetString octet = (DEROctetString) ext.getValue().getDERObject(); DERInteger currentNumber = (DERInteger) DERTaggedObject.fromByteArray(octet.getOctets()); DERInteger nextNumber = new DERInteger(currentNumber.getValue().add(BigInteger.ONE)); crlBuilder.addExtension(oid, ext.isCritical(), nextNumber); } else if (oid.equals(X509Extension.authorityKeyIdentifier)) { crlBuilder.addExtension(oid, ext.isCritical(), new AuthorityKeyIdentifierStructure(ext.getValue().getDEREncoded())); } } for (DERSequence entry : newEntries) { // XXX: This is all a bit messy considering the user already passed in the serial, date // and reason. BigInteger serial = ((DERInteger) entry.getObjectAt(0)).getValue(); Date revokeDate = ((Time) entry.getObjectAt(1)).getDate(); int reason = CRLReason.unspecified; if (entry.size() == 3) { X509Extensions extensions = (X509Extensions) entry.getObjectAt(2); X509Extension reasonExt = extensions.getExtension(X509Extension.reasonCode); if (reasonExt != null) { reason = ((DEREnumerated) reasonExt.getParsedValue()).getValue().intValue(); } } crlBuilder.addCRLEntry(serial, revokeDate, reason); } RSAKeyParameters keyParams = new RSAKeyParameters(true, key.getModulus(), key.getPrivateExponent()); signingAlg = oldCrl.toASN1Structure().getSignatureAlgorithm(); digestAlg = new DefaultDigestAlgorithmIdentifierFinder().find(signingAlg); ContentSigner s; try { s = new BcRSAContentSignerBuilder(signingAlg, digestAlg).build(keyParams); X509CRLHolder newCrl = crlBuilder.build(s); out.write(newCrl.getEncoded()); } catch (OperatorCreationException e) { throw new IOException("Could not sign CRL", e); } } finally { IOUtils.closeQuietly(asn1in); } }
From source file:org.candlepin.util.X509CRLStreamWriter.java
License:Open Source License
/** * This method updates the crlNumber and authorityKeyIdentifier extensions. Any * other extensions are copied over unchanged. * @param extensions//w ww . jav a 2 s . c o m * @return * @throws IOException */ @SuppressWarnings("rawtypes") protected byte[] updateExtensions(byte[] obj) throws IOException { DERTaggedObject taggedExts = (DERTaggedObject) DERTaggedObject.fromByteArray(obj); DERSequence seq = (DERSequence) taggedExts.getObject(); ASN1EncodableVector modifiedExts = new ASN1EncodableVector(); // Now we need to read the extensions and find the CRL number and increment it, // and determine if its length changed. Enumeration objs = seq.getObjects(); while (objs.hasMoreElements()) { DERSequence ext = (DERSequence) objs.nextElement(); DERObjectIdentifier oid = (DERObjectIdentifier) ext.getObjectAt(0); if (X509Extension.cRLNumber.equals(oid)) { DEROctetString s = (DEROctetString) ext.getObjectAt(1); DERInteger i = (DERInteger) DERTaggedObject.fromByteArray(s.getOctets()); DERInteger newCrlNumber = new DERInteger(i.getValue().add(BigInteger.ONE)); X509Extension newNumberExt = new X509Extension(false, new DEROctetString(newCrlNumber.getDEREncoded())); ASN1EncodableVector crlNumber = new ASN1EncodableVector(); crlNumber.add(X509Extension.cRLNumber); crlNumber.add(newNumberExt.getValue()); modifiedExts.add(new DERSequence(crlNumber)); } else if (X509Extension.authorityKeyIdentifier.equals(oid)) { X509Extension newAuthorityKeyExt = new X509Extension(false, new DEROctetString(akiStructure.getDEREncoded())); ASN1EncodableVector aki = new ASN1EncodableVector(); aki.add(X509Extension.authorityKeyIdentifier); aki.add(newAuthorityKeyExt.getValue()); modifiedExts.add(new DERSequence(aki)); } else { modifiedExts.add(ext); } } DERSequence seqOut = new DERSequence(modifiedExts); DERTaggedObject out = new DERTaggedObject(true, 0, seqOut); return out.getDEREncoded(); }