List of usage examples for org.bouncycastle.asn1.x509 AuthorityKeyIdentifier getInstance
public static AuthorityKeyIdentifier getInstance(Object obj)
From source file:be.fedict.trust.linker.PublicKeyTrustLinker.java
License:Open Source License
@Override public TrustLinkerResult hasTrustLink(X509Certificate childCertificate, X509Certificate certificate, Date validationDate, RevocationData revocationData, AlgorithmPolicy algorithmPolicy) throws TrustLinkerResultException, Exception { if (false == childCertificate.getIssuerX500Principal().equals(certificate.getSubjectX500Principal())) { LOG.debug("child certificate issuer not the same as the issuer certificate subject"); LOG.debug("child certificate: " + childCertificate.getSubjectX500Principal()); LOG.debug("certificate: " + certificate.getSubjectX500Principal()); LOG.debug("child certificate issuer: " + childCertificate.getIssuerX500Principal()); throw new TrustLinkerResultException(TrustLinkerResultReason.NO_TRUST, "child certificate issuer not the same as the issuer certificate subject"); }//w ww .j av a 2s . c o m try { childCertificate.verify(certificate.getPublicKey()); } catch (Exception e) { LOG.debug("verification error: " + e.getMessage(), e); throw new TrustLinkerResultException(TrustLinkerResultReason.INVALID_SIGNATURE, "verification error: " + e.getMessage()); } algorithmPolicy.checkSignatureAlgorithm(childCertificate.getSigAlgOID(), validationDate); if (true == childCertificate.getNotAfter().after(certificate.getNotAfter())) { LOG.warn("child certificate validity end is after certificate validity end"); LOG.warn("child certificate validity end: " + childCertificate.getNotAfter()); LOG.warn("certificate validity end: " + certificate.getNotAfter()); } if (true == childCertificate.getNotBefore().before(certificate.getNotBefore())) { LOG.warn("child certificate validity begin before certificate validity begin"); LOG.warn("child certificate validity begin: " + childCertificate.getNotBefore()); LOG.warn("certificate validity begin: " + certificate.getNotBefore()); } if (true == validationDate.before(childCertificate.getNotBefore())) { LOG.debug("certificate is not yet valid"); throw new TrustLinkerResultException(TrustLinkerResultReason.INVALID_VALIDITY_INTERVAL, "certificate is not yet valid"); } if (true == validationDate.after(childCertificate.getNotAfter())) { LOG.debug("certificate already expired"); throw new TrustLinkerResultException(TrustLinkerResultReason.INVALID_VALIDITY_INTERVAL, "certificate already expired"); } if (-1 == certificate.getBasicConstraints()) { LOG.debug("certificate not a CA: " + certificate.getSubjectX500Principal()); /* * http://www.valicert.com/ Root CA has no CA flag set. Actually * this is in violation with 4.2.1.10 Basic Constraints of RFC2459. */ try { certificate.verify(certificate.getPublicKey()); LOG.warn("allowing self-signed Root CA without CA flag set"); } catch (Exception e) { throw new TrustLinkerResultException(TrustLinkerResultReason.NO_TRUST, "certificate not a CA"); } } if (0 == certificate.getBasicConstraints() && -1 != childCertificate.getBasicConstraints()) { LOG.debug("child should not be a CA"); throw new TrustLinkerResultException(TrustLinkerResultReason.NO_TRUST, "child should not be a CA"); } /* * SKID/AKID sanity check */ boolean isCa = isCa(certificate); boolean isChildCa = isCa(childCertificate); byte[] subjectKeyIdentifierData = certificate.getExtensionValue(Extension.subjectKeyIdentifier.getId()); byte[] authorityKeyIdentifierData = childCertificate .getExtensionValue(Extension.authorityKeyIdentifier.getId()); if (isCa && null == subjectKeyIdentifierData) { LOG.debug("certificate is CA and MUST contain a Subject Key Identifier"); throw new TrustLinkerResultException(TrustLinkerResultReason.NO_TRUST, "certificate is CA and MUST contain a Subject Key Identifier"); } if (isChildCa && null == authorityKeyIdentifierData && null != subjectKeyIdentifierData) { LOG.error("child certificate is CA and MUST contain an Authority Key Identifier"); // return new TrustLinkerResult(false, // TrustLinkerResultReason.INVALID_TRUST, // "child certificate is CA and MUST contain an Authority Key Identifier"); } if (null != subjectKeyIdentifierData && null != authorityKeyIdentifierData) { AuthorityKeyIdentifier authorityKeyIdentifier = AuthorityKeyIdentifier .getInstance(JcaX509ExtensionUtils.parseExtensionValue(authorityKeyIdentifierData)); SubjectKeyIdentifier subjectKeyIdentifier = SubjectKeyIdentifier .getInstance(JcaX509ExtensionUtils.parseExtensionValue(subjectKeyIdentifierData)); if (!Arrays.equals(authorityKeyIdentifier.getKeyIdentifier(), subjectKeyIdentifier.getKeyIdentifier())) { LOG.debug( "certificate's subject key identifier does not match child certificate's authority key identifier"); throw new TrustLinkerResultException(TrustLinkerResultReason.NO_TRUST, "certificate's subject key identifier does not match child certificate's authority key identifier"); } } /* * We don't check pathLenConstraint since this one is only there to * protect the PKI business. */ /* * Keep in mind that this trust linker can never return TRUSTED. */ return TrustLinkerResult.UNDECIDED; }
From source file:eu.emi.security.authn.x509.helpers.pkipath.bc.FixedBCPKIXCertPathReviewer.java
License:Open Source License
private void checkSignatures() { // 1.6.1 - Inputs // d)//from w w w . j av a 2 s.c o m TrustAnchor trust = null; X500Principal trustPrincipal = null; // validation date { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.certPathValidDate", new Object[] { new TrustedInput(validDate), new TrustedInput(new Date()) }); addNotification(msg); } // find trust anchors try { X509Certificate cert = (X509Certificate) certs.get(certs.size() - 1); Collection trustColl = getTrustAnchors(cert, pkixParams.getTrustAnchors()); if (trustColl.size() > 1) { // conflicting trust anchors ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.conflictingTrustAnchors", new Object[] { new Integer(trustColl.size()), new UntrustedInput(cert.getIssuerX500Principal()) }); addError(msg); } else if (trustColl.isEmpty()) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.noTrustAnchorFound", new Object[] { new UntrustedInput(cert.getIssuerX500Principal()), new Integer(pkixParams.getTrustAnchors().size()) }); addError(msg); } else { PublicKey trustPublicKey; trust = (TrustAnchor) trustColl.iterator().next(); if (trust.getTrustedCert() != null) { trustPublicKey = trust.getTrustedCert().getPublicKey(); } else { trustPublicKey = trust.getCAPublicKey(); } try { CertPathValidatorUtilities.verifyX509Certificate(cert, trustPublicKey, pkixParams.getSigProvider()); } catch (SignatureException e) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.trustButInvalidCert"); addError(msg); } catch (Exception e) { // do nothing, error occurs again later } } } catch (CertPathReviewerException cpre) { addError(cpre.getErrorMessage()); } catch (Throwable t) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.unknown", new Object[] { new UntrustedInput(t.getMessage()), new UntrustedInput(t) }); addError(msg); } if (trust != null) { // get the name of the trustAnchor X509Certificate sign = trust.getTrustedCert(); try { if (sign != null) { trustPrincipal = getSubjectPrincipal(sign); } else { trustPrincipal = new X500Principal(trust.getCAName()); } } catch (IllegalArgumentException ex) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.trustDNInvalid", new Object[] { new UntrustedInput(trust.getCAName()) }); addError(msg); } // test key usages of the trust anchor if (sign != null) { boolean[] ku = sign.getKeyUsage(); if (ku != null && !ku[5]) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.trustKeyUsage"); addNotification(msg); } } } // 1.6.2 - Initialization PublicKey workingPublicKey = null; X500Principal workingIssuerName = trustPrincipal; X509Certificate sign = null; if (trust != null) { sign = trust.getTrustedCert(); if (sign != null) { workingPublicKey = sign.getPublicKey(); } else { workingPublicKey = trust.getCAPublicKey(); } try { getAlgorithmIdentifier(workingPublicKey); } catch (CertPathValidatorException ex) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.trustPubKeyError"); addError(msg); } } // Basic cert checks X509Certificate cert = null; int i; for (int index = certs.size() - 1; index >= 0; index--) { // // i as defined in the algorithm description // i = n - index; // // set certificate to be checked in this round // sign and workingPublicKey and workingIssuerName are set // at the end of the for loop and initialied the // first time from the TrustAnchor // cert = (X509Certificate) certs.get(index); // verify signature if (workingPublicKey != null) { try { CertPathValidatorUtilities.verifyX509Certificate(cert, workingPublicKey, pkixParams.getSigProvider()); } catch (GeneralSecurityException ex) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.signatureNotVerified", new Object[] { ex.getMessage(), ex, ex.getClass().getName() }); addError(msg, index); } } else if (isSelfIssued(cert)) { try { CertPathValidatorUtilities.verifyX509Certificate(cert, cert.getPublicKey(), pkixParams.getSigProvider()); ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.rootKeyIsValidButNotATrustAnchor"); addError(msg, index); } catch (GeneralSecurityException ex) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.signatureNotVerified", new Object[] { ex.getMessage(), ex, ex.getClass().getName() }); addError(msg, index); } } else { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.NoIssuerPublicKey"); // if there is an authority key extension add the serial and issuer of the missing certificate byte[] akiBytes = cert.getExtensionValue(X509Extensions.AuthorityKeyIdentifier.getId()); if (akiBytes != null) { try { AuthorityKeyIdentifier aki = AuthorityKeyIdentifier .getInstance(X509ExtensionUtil.fromExtensionValue(akiBytes)); GeneralNames issuerNames = aki.getAuthorityCertIssuer(); if (issuerNames != null) { GeneralName name = issuerNames.getNames()[0]; BigInteger serial = aki.getAuthorityCertSerialNumber(); if (serial != null) { Object[] extraArgs = { new LocaleString(RESOURCE_NAME, "missingIssuer"), " \"", name, "\" ", new LocaleString(RESOURCE_NAME, "missingSerial"), " ", serial }; msg.setExtraArguments(extraArgs); } } } catch (IOException e) { // ignore } } addError(msg, index); } // certificate valid? try { cert.checkValidity(validDate); } catch (CertificateNotYetValidException cnve) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.certificateNotYetValid", new Object[] { new TrustedInput(cert.getNotBefore()) }); addError(msg, index); } catch (CertificateExpiredException cee) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.certificateExpired", new Object[] { new TrustedInput(cert.getNotAfter()) }); addError(msg, index); } // certificate revoked? if (pkixParams.isRevocationEnabled()) { try { checkRevocation(pkixParams, cert, validDate, sign, workingPublicKey); } catch (SimpleValidationErrorException e) { addError(e, index); } } // certificate issuer correct if (workingIssuerName != null && !cert.getIssuerX500Principal().equals(workingIssuerName)) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.certWrongIssuer", new Object[] { workingIssuerName.getName(), cert.getIssuerX500Principal().getName() }); addError(msg, index); } // // prepare for next certificate // if (i != n) { if (cert != null && cert.getVersion() == 1) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.noCACert"); addError(msg, index); } // k) BasicConstraints bc; try { bc = BasicConstraints.getInstance(getExtensionValue(cert, BASIC_CONSTRAINTS)); if (bc != null) { if (!bc.isCA()) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.noCACert"); addError(msg, index); } } else { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.noBasicConstraints"); addError(msg, index); } } catch (AnnotatedException ae) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.errorProcesingBC"); addError(msg, index); } // n) boolean[] _usage = cert.getKeyUsage(); if ((_usage != null) && !_usage[KEY_CERT_SIGN]) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.noCertSign"); addError(msg, index); } } // if // set signing certificate for next round sign = cert; // c) workingIssuerName = cert.getSubjectX500Principal(); // d) e) f) try { workingPublicKey = getNextWorkingKey(certs, index); getAlgorithmIdentifier(workingPublicKey); } catch (CertPathValidatorException ex) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.pubKeyError"); addError(msg, index); } } // for trustAnchor = trust; subjectPublicKey = workingPublicKey; }
From source file:mitm.common.security.certificate.X509ExtensionInspector.java
License:Open Source License
/** * Returns the AuthorityKeyIdentifier extension for the extension if available. * /*from w w w .j a v a2s .co m*/ * @param extension * @return * @throws IOException */ public static AuthorityKeyIdentifier getAuthorityKeyIdentifier(X509Extension extension) throws IOException { AuthorityKeyIdentifier authorityKeyIdentifier = null; ASN1Object derObject = ASN1Utils.getExtensionValue(extension, org.bouncycastle.asn1.x509.X509Extension.authorityKeyIdentifier.getId()); if (derObject != null) { authorityKeyIdentifier = AuthorityKeyIdentifier.getInstance(derObject); } return authorityKeyIdentifier; }
From source file:net.ripe.rpki.commons.crypto.x509cert.X509CertificateUtil.java
License:BSD License
public static byte[] getAuthorityKeyIdentifier(X509Extension certificate) { try {/*from w w w . j av a 2 s. c o m*/ byte[] extensionValue = certificate .getExtensionValue(org.bouncycastle.asn1.x509.X509Extension.authorityKeyIdentifier.getId()); if (extensionValue == null) { return null; } return AuthorityKeyIdentifier.getInstance(X509ExtensionUtil.fromExtensionValue(extensionValue)) .getKeyIdentifier(); } catch (IOException e) { throw new X509CertificateOperationException("Can not get AuthorityKeyIdentifier for certificate", e); } }
From source file:net.sf.keystore_explorer.crypto.x509.X509Ext.java
License:Open Source License
private String getAuthorityKeyIdentifierStringValue(byte[] value) throws IOException { // @formatter:off /*// ww w . j av a 2 s . c o m * AuthorityKeyIdentifier ::= ASN1Sequence { keyIdentifier [0] * KeyIdentifier OPTIONAL, authorityCertIssuer [1] GeneralNames * OPTIONAL, authorityCertSerialNumber [2] CertificateSerialNumber * OPTIONAL } * * KeyIdentifier ::= OCTET STRING * * GeneralNames ::= ASN1Sequence SIZE (1..MAX) OF GeneralName * * CertificateSerialNumber ::= ASN1Integer */ // @formatter:on StringBuilder sb = new StringBuilder(); AuthorityKeyIdentifier authorityKeyIdentifier = AuthorityKeyIdentifier.getInstance(value); byte[] keyIdentifier = authorityKeyIdentifier.getKeyIdentifier(); GeneralNames authorityCertIssuer = authorityKeyIdentifier.getAuthorityCertIssuer(); BigInteger certificateSerialNumber = authorityKeyIdentifier.getAuthorityCertSerialNumber(); if (keyIdentifier != null) { // Optional // Output as a hex string sb.append(MessageFormat.format(res.getString("AuthorityKeyIdentifier"), HexUtil.getHexString(keyIdentifier))); sb.append(NEWLINE); } if (authorityCertIssuer != null) { // Optional sb.append(res.getString("CertificateIssuer")); sb.append(NEWLINE); for (GeneralName generalName : authorityCertIssuer.getNames()) { sb.append(INDENT); sb.append(GeneralNameUtil.toString(generalName)); sb.append(NEWLINE); } } if (certificateSerialNumber != null) { // Optional // Output as an integer sb.append(MessageFormat.format(res.getString("CertificateSerialNumber"), HexUtil.getHexString(certificateSerialNumber))); sb.append(NEWLINE); } return sb.toString(); }
From source file:net.sf.keystore_explorer.gui.dialogs.extensions.DAuthorityKeyIdentifier.java
License:Open Source License
private void prepopulateWithValue(byte[] value) throws IOException { AuthorityKeyIdentifier authorityKeyIdentifier = AuthorityKeyIdentifier.getInstance(value); if (authorityKeyIdentifier.getKeyIdentifier() != null) { jkiKeyIdentifier.setKeyIdentifier(authorityKeyIdentifier.getKeyIdentifier()); }/*from www . j a v a 2s. c o m*/ GeneralNames authorityCertIssuer = authorityKeyIdentifier.getAuthorityCertIssuer(); if (authorityCertIssuer != null) { jgnAuthorityCertIssuer.setGeneralNames(authorityCertIssuer); } BigInteger authorityCertSerialNumber = authorityKeyIdentifier.getAuthorityCertSerialNumber(); if (authorityCertSerialNumber != null) { jtfAuthorityCertSerialNumber.setText("" + authorityCertSerialNumber.longValue()); jtfAuthorityCertSerialNumber.setCaretPosition(0); } }
From source file:net.sf.portecle.crypto.X509Ext.java
License:Open Source License
/** * Get Authority Key Identifier (2.5.29.35) extension value as a string. * // ww w . ja va 2 s .com * <pre> * AuthorityKeyIdentifier ::= SEQUENCE { * keyIdentifier [0] KeyIdentifier OPTIONAL, * authorityCertIssuer [1] Names OPTIONAL, * authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL } * KeyIdentifier ::= OCTET STRING * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName * CertificateSerialNumber ::= INTEGER * </pre> * * @param bValue The octet string value * @return Extension value as a string * @throws IOException If an I/O problem occurs */ private String getAuthorityKeyIdentifierStringValue(byte[] bValue) throws IOException { AuthorityKeyIdentifier aki = AuthorityKeyIdentifier.getInstance(bValue); StringBuilder strBuff = new StringBuilder(); byte[] keyIdentifier = aki.getKeyIdentifier(); if (keyIdentifier != null) { strBuff.append(RB.getString("KeyIdentifier")); strBuff.append(": "); strBuff.append(convertToHexString(keyIdentifier)); strBuff.append("<br>"); } GeneralNames authorityCertIssuer; if ((authorityCertIssuer = aki.getAuthorityCertIssuer()) != null) { if (strBuff.length() != 0) { strBuff.append("<br>"); } strBuff.append("<ul><li>"); strBuff.append(RB.getString("CertificateIssuer")); strBuff.append(": "); strBuff.append(getGeneralNamesString(authorityCertIssuer, LinkClass.BROWSER)); strBuff.append("</li></ul>"); } BigInteger serialNo; if ((serialNo = aki.getAuthorityCertSerialNumber()) != null) { if (strBuff.length() != 0) { strBuff.append("<br>"); } strBuff.append(MessageFormat.format(RB.getString("CertificateSerialNumber"), serialNo)); } return strBuff.toString(); }
From source file:org.cesecore.certificates.crl.CrlCreateSessionTest.java
License:Open Source License
private void checkCrlAkid(X509CA subca, final byte[] crl) throws Exception { assertNotNull(crl);/*from ww w. ja va 2 s . c om*/ // First, check that it is signed by the correct public key final X509CRL xcrl = CertTools.getCRLfromByteArray(crl); final PublicKey pubK = subca.getCACertificate().getPublicKey(); xcrl.verify(pubK); // Check that the correct AKID is used final byte[] akidExtBytes = xcrl.getExtensionValue(Extension.authorityKeyIdentifier.getId()); ASN1InputStream octAis = new ASN1InputStream(new ByteArrayInputStream(akidExtBytes)); DEROctetString oct = (DEROctetString) (octAis.readObject()); ASN1InputStream keyidAis = new ASN1InputStream(new ByteArrayInputStream(oct.getOctets())); AuthorityKeyIdentifier akid = AuthorityKeyIdentifier.getInstance((ASN1Sequence) keyidAis.readObject()); keyidAis.close(); octAis.close(); assertArrayEquals("Incorrect Authority Key Id in CRL.", TEST_AKID, akid.getKeyIdentifier()); }
From source file:org.cesecore.util.CertTools.java
License:Open Source License
/** * Get the authority key identifier from a certificate extensions * //from w ww .j ava2s . c o m * @param cert certificate containing the extension * @return byte[] containing the authority key identifier, or null if it does not exist */ public static byte[] getAuthorityKeyId(Certificate cert) { if (cert == null) { return null; } if (cert instanceof X509Certificate) { X509Certificate x509cert = (X509Certificate) cert; byte[] extvalue = x509cert.getExtensionValue("2.5.29.35"); if (extvalue == null) { return null; } try { ASN1InputStream octAsn1InputStream = new ASN1InputStream(new ByteArrayInputStream(extvalue)); try { DEROctetString oct = (DEROctetString) (octAsn1InputStream.readObject()); ASN1InputStream keyAsn1InputStream = new ASN1InputStream( new ByteArrayInputStream(oct.getOctets())); try { AuthorityKeyIdentifier keyId = AuthorityKeyIdentifier .getInstance((ASN1Sequence) keyAsn1InputStream.readObject()); return keyId.getKeyIdentifier(); } finally { keyAsn1InputStream.close(); } } finally { octAsn1InputStream.close(); } } catch (IOException e) { throw new IllegalStateException("Could not parse authority key identifier from certificate.", e); } } return null; }
From source file:org.cryptacular.x509.ExtensionReader.java
License:Open Source License
/** * Reads the value of the <code>AuthorityKeyIdentifier</code> extension field * of the certificate./* www .j av a2 s.c o m*/ * * @return Authority key identifier. */ public AuthorityKeyIdentifier readAuthorityKeyIdentifier() { return AuthorityKeyIdentifier.getInstance(read(ExtensionType.AuthorityKeyIdentifier)); }