List of usage examples for org.bouncycastle.asn1.x509 Extension authorityInfoAccess
ASN1ObjectIdentifier authorityInfoAccess
To view the source code for org.bouncycastle.asn1.x509 Extension authorityInfoAccess.
Click Source Link
From source file:org.cesecore.certificates.certificateprofile.CertificateProfileTest.java
License:Open Source License
@Test public void test06CertificateExtensions() throws Exception { CertificateProfile profile = new CertificateProfile(CertificateProfileConstants.CERTPROFILE_NO_PROFILE); // Check standard values for the certificate profile List<String> l = profile.getUsedStandardCertificateExtensions(); assertEquals(6, l.size());/*from www . j a v a2 s . c om*/ assertTrue(l.contains(Extension.keyUsage.getId())); assertTrue(l.contains(Extension.basicConstraints.getId())); assertTrue(l.contains(Extension.subjectKeyIdentifier.getId())); assertTrue(l.contains(Extension.authorityKeyIdentifier.getId())); assertTrue(l.contains(Extension.subjectAlternativeName.getId())); assertTrue(l.contains(Extension.issuerAlternativeName.getId())); CertificateProfile eprofile = new CertificateProfile(CertificateProfileConstants.CERTPROFILE_FIXED_ENDUSER); // Check standard values for the certificate profile l = eprofile.getUsedStandardCertificateExtensions(); assertEquals(7, l.size()); assertTrue(l.contains(Extension.keyUsage.getId())); assertTrue(l.contains(Extension.basicConstraints.getId())); assertTrue(l.contains(Extension.subjectKeyIdentifier.getId())); assertTrue(l.contains(Extension.authorityKeyIdentifier.getId())); assertTrue(l.contains(Extension.subjectAlternativeName.getId())); assertTrue(l.contains(Extension.issuerAlternativeName.getId())); assertTrue(l.contains(Extension.extendedKeyUsage.getId())); profile = new CertificateProfile(CertificateProfileConstants.CERTPROFILE_NO_PROFILE); profile.setUseAuthorityInformationAccess(true); profile.setUseCertificatePolicies(true); profile.setUseCRLDistributionPoint(true); profile.setUseFreshestCRL(true); profile.setUseMicrosoftTemplate(true); profile.setUseOcspNoCheck(true); profile.setUseQCStatement(true); profile.setUseExtendedKeyUsage(true); profile.setUseSubjectDirAttributes(true); l = profile.getUsedStandardCertificateExtensions(); assertEquals(15, l.size()); assertTrue(l.contains(Extension.keyUsage.getId())); assertTrue(l.contains(Extension.basicConstraints.getId())); assertTrue(l.contains(Extension.subjectKeyIdentifier.getId())); assertTrue(l.contains(Extension.authorityKeyIdentifier.getId())); assertTrue(l.contains(Extension.subjectAlternativeName.getId())); assertTrue(l.contains(Extension.issuerAlternativeName.getId())); assertTrue(l.contains(Extension.extendedKeyUsage.getId())); assertTrue(l.contains(Extension.authorityInfoAccess.getId())); assertTrue(l.contains(Extension.certificatePolicies.getId())); assertTrue(l.contains(Extension.cRLDistributionPoints.getId())); assertTrue(l.contains(Extension.freshestCRL.getId())); assertTrue(l.contains(OCSPObjectIdentifiers.id_pkix_ocsp_nocheck.getId())); assertTrue(l.contains(Extension.qCStatements.getId())); assertTrue(l.contains(Extension.subjectDirectoryAttributes.getId())); assertTrue(l.contains(CertTools.OID_MSTEMPLATE)); }
From source file:org.cesecore.util.CertTools.java
License:Open Source License
/** * This utility method extracts the Authority Information Access Extention's URLs * /*from w w w. j av a2 s. c o m*/ * @param crl a CRL to parse * @return the Authority Information Access Extention's URLs, or an empty Collection if none were found */ public static Collection<String> getAuthorityInformationAccess(CRL crl) { Collection<String> result = new ArrayList<String>(); if (crl instanceof X509CRL) { X509CRL x509crl = (X509CRL) crl; ASN1Primitive derObject = getExtensionValue(x509crl, Extension.authorityInfoAccess.getId()); if (derObject != null) { AuthorityInformationAccess authorityInformationAccess = AuthorityInformationAccess .getInstance(derObject); AccessDescription[] accessDescriptions = authorityInformationAccess.getAccessDescriptions(); if ((accessDescriptions != null) && (accessDescriptions.length > 0)) { for (AccessDescription accessDescription : accessDescriptions) { if (accessDescription.getAccessMethod().equals(X509ObjectIdentifiers.id_ad_caIssuers)) { GeneralName generalName = accessDescription.getAccessLocation(); if (generalName.getTagNo() == GeneralName.uniformResourceIdentifier) { // Due to bug in java getting some ASN.1 objects, it can be tagged an extra time... ASN1Primitive obj = generalName.toASN1Primitive(); if (obj instanceof ASN1TaggedObject) { obj = ASN1TaggedObject.getInstance(obj).getObject(); } final DERIA5String deria5String = DERIA5String.getInstance(obj); result.add(deria5String.getString()); } } } } } } return result; }
From source file:org.cesecore.util.CertTools.java
License:Open Source License
/** * Returns OCSP URL that is inside AuthorityInformationAccess extension, or null. * //from w ww. j av a2 s. co m * @param cert is the certificate to parse * @throws CertificateParsingException */ public static String getAuthorityInformationAccessOcspUrl(Certificate cert) throws CertificateParsingException { String ret = null; if (cert instanceof X509Certificate) { X509Certificate x509cert = (X509Certificate) cert; try { ASN1Primitive obj = getExtensionValue(x509cert, Extension.authorityInfoAccess.getId()); if (obj == null) { return null; } AuthorityInformationAccess aia = AuthorityInformationAccess.getInstance(obj); AccessDescription[] ad = aia.getAccessDescriptions(); if ((ad != null) && (ad.length > 0)) { for (int i = 0; i < ad.length; i++) { if (ad[i].getAccessMethod().equals(X509ObjectIdentifiers.ocspAccessMethod)) { GeneralName gn = ad[i].getAccessLocation(); if (gn.getTagNo() == GeneralName.uniformResourceIdentifier) { // After encoding in a cert, it is tagged an extra time... ASN1Primitive gnobj = gn.toASN1Primitive(); if (gnobj instanceof ASN1TaggedObject) { gnobj = ASN1TaggedObject.getInstance(gnobj).getObject(); } final DERIA5String str = DERIA5String.getInstance(gnobj); ret = str.getString(); break; // no need to go on any further, we got a value } } } } } catch (Exception e) { log.error("Error parsing AuthorityInformationAccess", e); throw new CertificateParsingException(e.toString()); } } return ret; }
From source file:org.cesecore.util.PKIXCertRevocationStatusChecker.java
License:Open Source License
@Override public Set<String> getSupportedExtensions() { ArrayList<String> exts = new ArrayList<String>(); exts.add(Extension.cRLDistributionPoints.getId()); exts.add(Extension.authorityInfoAccess.getId()); return new HashSet<String>(exts); }
From source file:org.cesecore.util.PKIXCertRevocationStatusChecker.java
License:Open Source License
/** * Checks the revocation status of 'cert'; first by sending on OCSP request. If that fails for any reason, then through a CRL *///from w w w . j av a2s. c o m @Override public void check(Certificate cert, Collection<String> unresolvedCritExts) throws CertPathValidatorException { clearResult(); Certificate cacert = getCaCert(cert); if (cacert == null) { final String msg = "No issuer CA certificate was found. An issuer CA certificate is needed to create an OCSP request and to get the right CRL"; log.info(msg); throw new CertPathValidatorException(msg); } ArrayList<String> ocspurls = getOcspUrls(cert); if (!ocspurls.isEmpty()) { BigInteger certSerialnumber = CertTools.getSerialNumber(cert); byte[] nonce = new byte[16]; final Random randomSource = new Random(); randomSource.nextBytes(nonce); OCSPReq req = null; try { req = getOcspRequest(cacert, certSerialnumber, nonce); } catch (CertificateEncodingException | OCSPException e) { if (log.isDebugEnabled()) { log.debug("Failed to create OCSP request. " + e.getLocalizedMessage()); } fallBackToCrl(cert, CertTools.getSubjectDN(cacert)); return; } SingleResp ocspResp = null; for (String url : ocspurls) { ocspResp = getOCSPResponse(url, req, cert, nonce, OCSPRespBuilder.SUCCESSFUL, 200); if (ocspResp != null) { log.info("Obtained OCSP response from " + url); break; } else { if (log.isDebugEnabled()) { log.debug("Failed to obtain an OCSP reponse from " + url); } } } if (ocspResp == null) { log.info( "Failed to check certificate revocation status using OCSP. Falling back to check using CRL"); fallBackToCrl(cert, CertTools.getSubjectDN(cacert)); } else { CertificateStatus status = ocspResp.getCertStatus(); this.ocspResponse = ocspResp; if (log.isDebugEnabled()) { log.debug("The certificate status is: " + (status == null ? "Good" : status.toString())); } if (status != null) { // status==null -> certificate OK throw new CertPathValidatorException("Certificate with serialnumber " + CertTools.getSerialNumberAsString(cert) + " was revoked"); } if (unresolvedCritExts != null) { unresolvedCritExts.remove(Extension.authorityInfoAccess.getId()); } } } else { fallBackToCrl(cert, CertTools.getSubjectDN(cacert)); if (unresolvedCritExts != null) { unresolvedCritExts.remove(Extension.cRLDistributionPoints.getId()); } } }
From source file:org.codice.ddf.security.ocsp.checker.OcspChecker.java
License:Open Source License
/** * Attempts to grab additional OCSP server urls off of the given {@param cert}. * * @param - the {@link X509Certificate} to check. * @return {@link List} of additional OCSP server urls found on the given {@param cert}. */// w ww. j a v a 2s . c om private List<String> getOcspUrlsFromCert(X509Certificate cert) { List<String> ocspUrls = new ArrayList<>(); try { byte[] authorityInfoAccess = cert.getExtensionValue(Extension.authorityInfoAccess.getId()); if (authorityInfoAccess == null) { return ocspUrls; } AuthorityInformationAccess authorityInformationAccess = AuthorityInformationAccess .getInstance(X509ExtensionUtil.fromExtensionValue(authorityInfoAccess)); if (authorityInformationAccess == null) { return ocspUrls; } for (AccessDescription description : authorityInformationAccess.getAccessDescriptions()) { GeneralName accessLocation = description.getAccessLocation(); if (accessLocation.getTagNo() == GeneralName.uniformResourceIdentifier) ocspUrls.add(((DERIA5String) accessLocation.getName()).getString()); } } catch (IOException e) { LOGGER.debug("Problem retrieving the OCSP server url(s) from the certificate." + CONTINUING_MSG, e); } return ocspUrls; }
From source file:org.demoiselle.signer.core.extension.BasicCertificate.java
License:Open Source License
/** * Returns the AuthorityInfoAccess extension value on list format.<br> * Otherwise, returns <b>list empty</b>.<br> * @return List Authority info access list *///from w w w . java2s . c o m public List<String> getAuthorityInfoAccess() { List<String> address = new ArrayList<String>(); try { byte[] authorityInfoAccess = certificate.getExtensionValue(Extension.authorityInfoAccess.getId()); if (authorityInfoAccess != null && authorityInfoAccess.length > 0) { AuthorityInformationAccess infoAccess = AuthorityInformationAccess .getInstance(X509ExtensionUtil.fromExtensionValue(authorityInfoAccess)); for (AccessDescription desc : infoAccess.getAccessDescriptions()) if (desc.getAccessLocation().getTagNo() == GeneralName.uniformResourceIdentifier) address.add(((DERIA5String) desc.getAccessLocation().getName()).getString()); } return address; } catch (Exception error) { logger.info(error.getMessage()); return address; } }
From source file:org.keycloak.common.util.OCSPUtils.java
License:Apache License
/** * Extracts OCSP responder URI from X509 AIA v3 extension, if available. There can be * multiple responder URIs encoded in the certificate. * @param cert/*from www . j ava 2 s . c om*/ * @return a list of available responder URIs. * @throws CertificateEncodingException */ private static List<String> getResponderURIs(X509Certificate cert) throws CertificateEncodingException { LinkedList<String> responderURIs = new LinkedList<>(); JcaX509CertificateHolder holder = new JcaX509CertificateHolder(cert); Extension aia = holder.getExtension(Extension.authorityInfoAccess); if (aia != null) { try { ASN1InputStream in = new ASN1InputStream(aia.getExtnValue().getOctetStream()); ASN1Sequence seq = (ASN1Sequence) in.readObject(); AuthorityInformationAccess authorityInfoAccess = AuthorityInformationAccess.getInstance(seq); for (AccessDescription ad : authorityInfoAccess.getAccessDescriptions()) { if (ad.getAccessMethod().equals(AccessDescription.id_ad_ocsp)) { // See https://www.ietf.org/rfc/rfc2560.txt, 3.1 Certificate Content if (ad.getAccessLocation().getTagNo() == GeneralName.uniformResourceIdentifier) { DERIA5String value = DERIA5String.getInstance(ad.getAccessLocation().getName()); responderURIs.add(value.getString()); } } } } catch (IOException e) { e.printStackTrace(); } } return responderURIs; }
From source file:org.metaeffekt.dcc.commons.pki.CertificateManager.java
License:Apache License
protected List<Extension> createExtensions(PublicKey publicKey, X509Certificate issuerCertificate) throws CertIOException, NoSuchAlgorithmException, IOException { List<Extension> extensions = new ArrayList<>(); String certType = getProperty(PROPERTY_CERT_TYPE, CERT_TYPE_TLS); // backward compatibility if (CERT_TYPE_CA_OLD.equals(certType)) { certType = CERT_TYPE_CA;/*from www . j a v a2 s .c om*/ } // subject key identifier boolean criticalKeyIdentifier = getProperty(PROPERTY_CERT_CRITICAL_KEY_IDENTIFIER, false); extensions.add(new Extension(Extension.subjectKeyIdentifier, criticalKeyIdentifier, new JcaX509ExtensionUtils().createSubjectKeyIdentifier(publicKey).getEncoded())); // basic constraints if (CERT_TYPE_CA.equals(certType)) { boolean criticalCaConstraints = getProperty(PROPERTY_CERT_CRITICAL_CA, true); int chainLengthConstraint = getProperty(PROPERTY_CERT_CHAIN_LENGTH, 0); if (chainLengthConstraint > 0) { extensions.add(new Extension(Extension.basicConstraints, criticalCaConstraints, new BasicConstraints(chainLengthConstraint).getEncoded())); } else { extensions.add(new Extension(Extension.basicConstraints, criticalCaConstraints, new BasicConstraints(true).getEncoded())); } } // key usage int keyUsageInt = getKeyUsage(certType); if (keyUsageInt != 0) { // FIXME: test whether we can default to true here boolean criticalKeyUsage = getProperty(PROPERTY_CERT_CRITICAL_KEY_USAGE, false); KeyUsage keyUsage = new KeyUsage(keyUsageInt); extensions.add(new Extension(Extension.keyUsage, criticalKeyUsage, keyUsage.getEncoded())); } // extended key usage KeyPurposeId[] keyPurposeDefault = null; if (CERT_TYPE_TLS.equals(certType)) { // defaults for TLS keyPurposeDefault = new KeyPurposeId[] { KeyPurposeId.id_kp_clientAuth, KeyPurposeId.id_kp_serverAuth }; } boolean criticalKeyPurpose = getProperty(PROPERTY_CERT_CRITICAL_KEY_PURPOSE, false); KeyPurposeId[] keyPurpose = createKeyPurposeIds(keyPurposeDefault); if (keyPurpose != null) { extensions.add(new Extension(Extension.extendedKeyUsage, criticalKeyPurpose, new ExtendedKeyUsage(keyPurpose).getEncoded())); } // subjectAlternativeName List<ASN1Encodable> subjectAlternativeNames = extractAlternativeNames(PROPERTY_PREFIX_CERT_NAME); if (!subjectAlternativeNames.isEmpty()) { boolean criticalNames = getProperty(PROPERTY_CERT_CRITICAL_NAMES, false); DERSequence subjectAlternativeNamesExtension = new DERSequence( subjectAlternativeNames.toArray(new ASN1Encodable[subjectAlternativeNames.size()])); extensions.add(new Extension(Extension.subjectAlternativeName, criticalNames, subjectAlternativeNamesExtension.getEncoded())); } if (issuerCertificate == null) { // crl distribution point DistributionPoint[] crlDistributionPoints = createCrlDistributionPoints(); if (crlDistributionPoints != null) { boolean criticalCrlDistPoints = getProperty(PROPERTY_CERT_CRITICAL_CRL_DISTRIBUTION_POINTS, false); extensions.add(new Extension(Extension.cRLDistributionPoints, criticalCrlDistPoints, new CRLDistPoint(crlDistributionPoints).getEncoded())); } // authority information access AccessDescription[] accessDescriptions = createAccessDescriptions(); if (accessDescriptions != null) { boolean criticalAuthorityInformationAccess = getProperty( PROPERTY_CERT_CRITICAL_AUTHORITY_INFORMATION_ACCESS, false); extensions.add(new Extension(Extension.authorityInfoAccess, criticalAuthorityInformationAccess, new AuthorityInformationAccess(accessDescriptions).getEncoded())); } } else { copyExtension(Extension.cRLDistributionPoints, issuerCertificate, extensions); copyExtension(Extension.authorityInfoAccess, issuerCertificate, extensions); } return extensions; }
From source file:org.poreid.verify.ocsp.OCSPClient.java
License:Open Source License
private URL getOcspUrlFromCertificate(X509Certificate certificate) { byte[] octetBytes = certificate .getExtensionValue(org.bouncycastle.asn1.x509.Extension.authorityInfoAccess.getId()); if (null != octetBytes) { try {/* w ww . ja va2s .c o m*/ byte[] encoded = X509ExtensionUtil.fromExtensionValue(octetBytes).getEncoded(); ASN1Sequence seq = ASN1Sequence.getInstance(ASN1Primitive.fromByteArray(encoded)); AuthorityInformationAccess access = AuthorityInformationAccess.getInstance(seq); for (AccessDescription accessDescription : access.getAccessDescriptions()) { if (accessDescription.getAccessMethod().equals(AccessDescription.id_ad_ocsp)) { url = new URL(accessDescription.getAccessLocation().getName().toString()); break; } } } catch (IOException ignore) { } } return url; }