List of usage examples for org.bouncycastle.asn1.x509 AccessDescription AccessDescription
public AccessDescription(ASN1ObjectIdentifier oid, GeneralName location)
From source file:com.aqnote.shared.cryptology.cert.gen.CertGenerator.java
License:Open Source License
private void addAuthorityInfoAccess(X509v3CertificateBuilder certBuilder) throws CertIOException { ASN1EncodableVector aia_ASN = new ASN1EncodableVector(); GeneralName crlName = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(CertConstant.MAD_CA_URL)); AccessDescription caIssuers = new AccessDescription(AccessDescription.id_ad_caIssuers, crlName); GeneralName ocspName = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(CertConstant.MAD_OCSP_URL)); AccessDescription ocsp = new AccessDescription(AccessDescription.id_ad_ocsp, ocspName); aia_ASN.add(caIssuers);/*from w ww . j av a2s . co m*/ aia_ASN.add(ocsp); certBuilder.addExtension(Extension.authorityInfoAccess, false, new DERSequence(aia_ASN)); }
From source file:com.aqnote.shared.encrypt.cert.gen.BCCertGenerator.java
License:Open Source License
private static void addAuthorityInfoAccess(X509v3CertificateBuilder certBuilder) throws CertIOException { ASN1EncodableVector aia_ASN = new ASN1EncodableVector(); GeneralName crlName = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(CertConstant.MAD_CA_URL)); AccessDescription caIssuers = new AccessDescription(AccessDescription.id_ad_caIssuers, crlName); GeneralName ocspName = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(CertConstant.MAD_OCSP_URL)); AccessDescription ocsp = new AccessDescription(AccessDescription.id_ad_ocsp, ocspName); aia_ASN.add(caIssuers);/*from ww w.j ava 2 s . co m*/ aia_ASN.add(ocsp); certBuilder.addExtension(Extension.authorityInfoAccess, false, new DERSequence(aia_ASN)); }
From source file:com.otterca.common.crypto.X509CertificateBuilderImpl.java
License:Apache License
/** * Set Authority Information Access (RFC5280 4.2.2) *//* ww w . j a v a2 s. c om*/ protected void setAuthorityInfoAccess() { if (!ocspLocations.isEmpty() || !caIssuersLocations.isEmpty()) { ASN1Encodable[] values = new ASN1Encodable[ocspLocations.size() + caIssuersLocations.size()]; // add OCSP locations for (int i = 0; i < ocspLocations.size(); i++) { values[i] = new AccessDescription(AccessDescription.id_ad_ocsp, ocspLocations.get(i)); } // add CA Issuers locations int offset = ocspLocations.size(); for (int i = 0; i < caIssuersLocations.size(); i++) { values[i + offset] = new AccessDescription(AccessDescription.id_ad_caIssuers, caIssuersLocations.get(i)); } DERSequence seq = new DERSequence(values); generator.addExtension(X509Extensions.AuthorityInfoAccess, false, seq); } }
From source file:com.otterca.common.crypto.X509CertificateBuilderImpl.java
License:Apache License
/** * Set Subject Information Access (RFC5280 4.2.3) *//*from www .j a v a2 s. c o m*/ protected void setSubjectInfoAccess() { if (!caRepositories.isEmpty() || !timestamping.isEmpty()) { ASN1Encodable[] values = new ASN1Encodable[caRepositories.size() + timestamping.size()]; // add CA Repositories for (int i = 0; i < caRepositories.size(); i++) { values[i] = new AccessDescription(id_ad_caRepositories, caRepositories.get(i)); } // add TimeStamping locations. int offset = caRepositories.size(); for (int i = 0; i < timestamping.size(); i++) { values[i + offset] = new AccessDescription(id_ad_timeStamping, timestamping.get(i)); } DERSequence seq = new DERSequence(values); generator.addExtension(X509Extensions.SubjectInfoAccess, false, seq); } }
From source file:net.ripe.rpki.commons.crypto.x509cert.X509CertificateInformationAccessDescriptor.java
License:BSD License
private AccessDescription toAccessDescription() { return new AccessDescription(getMethod(), new GeneralName(GeneralName.uniformResourceIdentifier, location.toString())); }
From source file:net.sf.keystore_explorer.gui.crypto.accessdescription.DAccessDescriptionChooser.java
License:Open Source License
private void okPressed() { ASN1ObjectIdentifier accessMethod = joiAccessMethod.getObjectId(); if (accessMethod == null) { JOptionPane.showMessageDialog(this, res.getString("DAccessDescriptionChooser.AccessMethodValueReq.message"), getTitle(), JOptionPane.WARNING_MESSAGE); return;/*from w ww . j a va 2s. c om*/ } GeneralName accessLocation = jgnAccessLocation.getGeneralName(); if (accessLocation == null) { JOptionPane.showMessageDialog(this, res.getString("DAccessDescriptionChooser.AccessLocationValueReq.message"), getTitle(), JOptionPane.WARNING_MESSAGE); return; } accessDescription = new AccessDescription(accessMethod, accessLocation); closeDialog(); }
From source file:org.cesecore.certificates.ca.X509CA.java
License:Open Source License
/** * Generate a CRL or a deltaCRL/* w ww . ja v a 2s . c om*/ * * @param certs * list of revoked certificates * @param crlnumber * CRLNumber for this CRL * @param isDeltaCRL * true if we should generate a DeltaCRL * @param basecrlnumber * caseCRLNumber for a delta CRL, use 0 for full CRLs * @param certProfile * certificate profile for CRL Distribution point in the CRL, or null * @return CRL * @throws CryptoTokenOfflineException * @throws IllegalCryptoTokenException * @throws IOException * @throws SignatureException * @throws NoSuchProviderException * @throws InvalidKeyException * @throws CRLException * @throws NoSuchAlgorithmException */ private X509CRLHolder generateCRL(CryptoToken cryptoToken, Collection<RevokedCertInfo> certs, long crlPeriod, int crlnumber, boolean isDeltaCRL, int basecrlnumber) throws CryptoTokenOfflineException, IllegalCryptoTokenException, IOException, SignatureException, NoSuchProviderException, InvalidKeyException, CRLException, NoSuchAlgorithmException { final String sigAlg = getCAInfo().getCAToken().getSignatureAlgorithm(); if (log.isDebugEnabled()) { log.debug("generateCRL(" + certs.size() + ", " + crlPeriod + ", " + crlnumber + ", " + isDeltaCRL + ", " + basecrlnumber); } // Make DNs final X509Certificate cacert = (X509Certificate) getCACertificate(); final X500Name issuer; if (cacert == null) { // This is an initial root CA, since no CA-certificate exists // (I don't think we can ever get here!!!) final X500NameStyle nameStyle; if (getUsePrintableStringSubjectDN()) { nameStyle = PrintableStringNameStyle.INSTANCE; } else { nameStyle = CeSecoreNameStyle.INSTANCE; } issuer = CertTools.stringToBcX500Name(getSubjectDN(), nameStyle, getUseLdapDNOrder()); } else { issuer = X500Name.getInstance(cacert.getSubjectX500Principal().getEncoded()); } final Date thisUpdate = new Date(); final Date nextUpdate = new Date(); nextUpdate.setTime(nextUpdate.getTime() + crlPeriod); final X509v2CRLBuilder crlgen = new X509v2CRLBuilder(issuer, thisUpdate); crlgen.setNextUpdate(nextUpdate); if (certs != null) { if (log.isDebugEnabled()) { log.debug("Adding " + certs.size() + " revoked certificates to CRL. Free memory=" + Runtime.getRuntime().freeMemory()); } final Iterator<RevokedCertInfo> it = certs.iterator(); while (it.hasNext()) { final RevokedCertInfo certinfo = (RevokedCertInfo) it.next(); crlgen.addCRLEntry(certinfo.getUserCertificate(), certinfo.getRevocationDate(), certinfo.getReason()); } if (log.isDebugEnabled()) { log.debug("Finished adding " + certs.size() + " revoked certificates to CRL. Free memory=" + Runtime.getRuntime().freeMemory()); } } // Authority key identifier if (getUseAuthorityKeyIdentifier() == true) { byte[] caSkid = (cacert != null ? CertTools.getSubjectKeyId(cacert) : null); if (caSkid != null) { // Use subject key id from CA certificate AuthorityKeyIdentifier aki = new AuthorityKeyIdentifier(caSkid); crlgen.addExtension(Extension.authorityKeyIdentifier, getAuthorityKeyIdentifierCritical(), aki); } else { // Generate from SHA1 of public key ASN1InputStream asn1InputStream = new ASN1InputStream(new ByteArrayInputStream(cryptoToken .getPublicKey(getCAToken().getAliasFromPurpose(CATokenConstants.CAKEYPURPOSE_CRLSIGN)) .getEncoded())); try { SubjectPublicKeyInfo apki = new SubjectPublicKeyInfo( (ASN1Sequence) asn1InputStream.readObject()); AuthorityKeyIdentifier aki = new AuthorityKeyIdentifier(apki); crlgen.addExtension(Extension.authorityKeyIdentifier, getAuthorityKeyIdentifierCritical(), aki); } finally { asn1InputStream.close(); } } } // Authority Information Access final ASN1EncodableVector accessList = new ASN1EncodableVector(); if (getAuthorityInformationAccess() != null) { for (String url : getAuthorityInformationAccess()) { if (StringUtils.isNotEmpty(url)) { GeneralName accessLocation = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(url)); accessList.add(new AccessDescription(AccessDescription.id_ad_caIssuers, accessLocation)); } } } if (accessList.size() > 0) { AuthorityInformationAccess authorityInformationAccess = AuthorityInformationAccess .getInstance(new DERSequence(accessList)); // "This CRL extension MUST NOT be marked critical." according to rfc4325 crlgen.addExtension(Extension.authorityInfoAccess, false, authorityInformationAccess); } // CRLNumber extension if (getUseCRLNumber() == true) { CRLNumber crlnum = new CRLNumber(BigInteger.valueOf(crlnumber)); crlgen.addExtension(Extension.cRLNumber, this.getCRLNumberCritical(), crlnum); } if (isDeltaCRL) { // DeltaCRLIndicator extension CRLNumber basecrlnum = new CRLNumber(BigInteger.valueOf(basecrlnumber)); crlgen.addExtension(Extension.deltaCRLIndicator, true, basecrlnum); } // CRL Distribution point URI and Freshest CRL DP if (getUseCrlDistributionPointOnCrl()) { String crldistpoint = getDefaultCRLDistPoint(); List<DistributionPoint> distpoints = generateDistributionPoints(crldistpoint); if (distpoints.size() > 0) { IssuingDistributionPoint idp = new IssuingDistributionPoint( distpoints.get(0).getDistributionPoint(), false, false, null, false, false); // According to the RFC, IDP must be a critical extension. // Nonetheless, at the moment, Mozilla is not able to correctly // handle the IDP extension and discards the CRL if it is critical. crlgen.addExtension(Extension.issuingDistributionPoint, getCrlDistributionPointOnCrlCritical(), idp); } if (!isDeltaCRL) { String crlFreshestDP = getCADefinedFreshestCRL(); List<DistributionPoint> freshestDistPoints = generateDistributionPoints(crlFreshestDP); if (freshestDistPoints.size() > 0) { CRLDistPoint ext = new CRLDistPoint((DistributionPoint[]) freshestDistPoints .toArray(new DistributionPoint[freshestDistPoints.size()])); // According to the RFC, the Freshest CRL extension on a // CRL must not be marked as critical. Therefore it is // hardcoded as not critical and is independent of // getCrlDistributionPointOnCrlCritical(). crlgen.addExtension(Extension.freshestCRL, false, ext); } } } final X509CRLHolder crl; if (log.isDebugEnabled()) { log.debug("Signing CRL. Free memory=" + Runtime.getRuntime().freeMemory()); } final String alias = getCAToken().getAliasFromPurpose(CATokenConstants.CAKEYPURPOSE_CRLSIGN); try { final ContentSigner signer = new BufferingContentSigner(new JcaContentSignerBuilder(sigAlg) .setProvider(cryptoToken.getSignProviderName()).build(cryptoToken.getPrivateKey(alias)), 20480); crl = crlgen.build(signer); } catch (OperatorCreationException e) { // Very fatal error throw new RuntimeException("Can not create Jca content signer: ", e); } if (log.isDebugEnabled()) { log.debug("Finished signing CRL. Free memory=" + Runtime.getRuntime().freeMemory()); } // Verify using the CA certificate before returning // If we can not verify the issued CRL using the CA certificate we don't want to issue this CRL // because something is wrong... final PublicKey verifyKey; if (cacert != null) { verifyKey = cacert.getPublicKey(); if (log.isTraceEnabled()) { log.trace("Got the verify key from the CA certificate."); } } else { verifyKey = cryptoToken.getPublicKey(alias); if (log.isTraceEnabled()) { log.trace("Got the verify key from the CA token."); } } try { final ContentVerifierProvider verifier = new JcaContentVerifierProviderBuilder().build(verifyKey); if (!crl.isSignatureValid(verifier)) { throw new SignatureException("Error verifying CRL to be returned."); } } catch (OperatorCreationException e) { // Very fatal error throw new RuntimeException("Can not create Jca content signer: ", e); } catch (CertException e) { throw new SignatureException(e.getMessage(), e); } if (log.isDebugEnabled()) { log.debug("Returning CRL. Free memory=" + Runtime.getRuntime().freeMemory()); } return crl; }
From source file:org.cesecore.certificates.certificate.certextensions.standard.AuthorityInformationAccess.java
License:Open Source License
@Override public ASN1Encodable getValue(final EndEntityInformation subject, final CA ca, final CertificateProfile certProfile, final PublicKey userPublicKey, final PublicKey caPublicKey, CertificateValidity val) throws CertificateExtensionException { final ASN1EncodableVector accessList = new ASN1EncodableVector(); GeneralName accessLocation;// ww w .j a v a2 s . c om String url; // caIssuers final List<String> caIssuers = certProfile.getCaIssuers(); if (caIssuers != null) { for (final Iterator<String> it = caIssuers.iterator(); it.hasNext();) { url = it.next(); if (StringUtils.isNotEmpty(url)) { accessLocation = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(url)); accessList.add(new AccessDescription(AccessDescription.id_ad_caIssuers, accessLocation)); } } } // ocsp url final X509CA x509ca = (X509CA) ca; url = certProfile.getOCSPServiceLocatorURI(); if (certProfile.getUseDefaultOCSPServiceLocator()) { url = x509ca.getDefaultOCSPServiceLocator(); } if (StringUtils.isNotEmpty(url)) { accessLocation = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(url)); accessList.add(new AccessDescription(AccessDescription.id_ad_ocsp, accessLocation)); } org.bouncycastle.asn1.x509.AuthorityInformationAccess ret = null; if (accessList.size() > 0) { ret = org.bouncycastle.asn1.x509.AuthorityInformationAccess.getInstance(new DERSequence(accessList)); } if (ret == null) { log.error("AuthorityInformationAccess is used, but nor caIssuers not Ocsp url are defined!"); } return ret; }
From source file:org.cryptacular.x509.ExtensionReaderTest.java
License:Open Source License
@DataProvider(name = "authority-information-access") public Object[][] getAuthorityInformationAccess() { return new Object[][] { new Object[] { CertUtil.readCertificate(CRT_PATH + "login.live.com.crt"), new AccessDescription[] { new AccessDescription(AccessDescription.id_ad_ocsp, uri("http://EVSecure-ocsp.verisign.com")), new AccessDescription(AccessDescription.id_ad_caIssuers, uri("http://EVSecure-aia.verisign.com/EVSecure2006.cer")), }, }, }; }
From source file:org.ejbca.core.model.ca.certextensions.standard.AuthorityInformationAccess.java
License:Open Source License
@Override public DEREncodable getValue(final UserDataVO subject, final CA ca, final CertificateProfile certProfile, final PublicKey userPublicKey, final PublicKey caPublicKey) throws CertificateExtentionConfigurationException, CertificateExtensionException { final ASN1EncodableVector accessList = new ASN1EncodableVector(); GeneralName accessLocation;/*from w ww .j av a 2s . c o m*/ String url; // caIssuers final List<String> caIssuers = certProfile.getCaIssuers(); if (caIssuers != null) { for (final Iterator<String> it = caIssuers.iterator(); it.hasNext();) { url = it.next(); if (StringUtils.isNotEmpty(url)) { accessLocation = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(url)); accessList.add(new AccessDescription(AccessDescription.id_ad_caIssuers, accessLocation)); } } } // ocsp url final X509CA x509ca = (X509CA) ca; url = certProfile.getOCSPServiceLocatorURI(); if (certProfile.getUseDefaultOCSPServiceLocator()) { url = x509ca.getDefaultOCSPServiceLocator(); } if (StringUtils.isNotEmpty(url)) { accessLocation = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(url)); accessList.add(new AccessDescription(AccessDescription.id_ad_ocsp, accessLocation)); } org.bouncycastle.asn1.x509.AuthorityInformationAccess ret = null; if (accessList.size() > 0) { ret = new org.bouncycastle.asn1.x509.AuthorityInformationAccess(new DERSequence(accessList)); } if (ret == null) { log.error("AuthorityInformationAccess is used, but nor caIssuers not Ocsp url are defined!"); } return ret; }