List of usage examples for org.bouncycastle.asn1.x509 Extension Extension
public Extension(ASN1ObjectIdentifier extnId, boolean critical, ASN1OctetString value)
From source file:org.cesecore.keybind.impl.OcspKeyBindingTest.java
License:Open Source License
/** @return An extended key usage extension with id_kp_OCSPSigning set. */ private static Extension getExtendedKeyUsageExtension() throws IOException { final ASN1Encodable usage = KeyPurposeId.getInstance(KeyPurposeId.id_kp_OCSPSigning); final ASN1Sequence seq = ASN1Sequence.getInstance(new DERSequence(usage)); return new Extension(Extension.extendedKeyUsage, true, seq.getEncoded()); }
From source file:org.cesecore.util.CertToolsTest.java
License:Open Source License
/** * Tests the following methods:/*w w w. j a v a 2 s. c om*/ * <ul> * <li>{@link CertTools.checkNameConstraints}</li> * <li>{@link NameConstraint.parseNameConstraintsList}</li> * <li>{@link NameConstraint.toGeneralSubtrees}</li> * </ul> */ @Test public void testNameConstraints() throws Exception { final String permitted = "C=SE,CN=example.com\n" + "example.com\n" + "@mail.example\n" + "user@host.com\n" + "10.0.0.0/8\n" + " C=SE, CN=spacing \n"; final String excluded = "forbidden.example.com\n" + "postmaster@mail.example\n" + "10.1.0.0/16\n" + "::/0"; // IPv6 final List<Extension> extensions = new ArrayList<Extension>(); GeneralSubtree[] permittedSubtrees = NameConstraint .toGeneralSubtrees(NameConstraint.parseNameConstraintsList(permitted)); GeneralSubtree[] excludedSubtrees = NameConstraint .toGeneralSubtrees(NameConstraint.parseNameConstraintsList(excluded)); byte[] extdata = new NameConstraints(permittedSubtrees, excludedSubtrees).toASN1Primitive().getEncoded(); extensions.add(new Extension(Extension.nameConstraints, false, extdata)); final KeyPair testkeys = KeyTools.genKeys("512", AlgorithmConstants.KEYALGORITHM_RSA); X509Certificate cacert = CertTools.genSelfCertForPurpose("C=SE,CN=Test Name Constraints CA", 365, null, testkeys.getPrivate(), testkeys.getPublic(), AlgorithmConstants.SIGALG_SHA1_WITH_RSA, true, X509KeyUsage.keyCertSign + X509KeyUsage.cRLSign, null, null, "BC", true, extensions); // Allowed subject DNs final X500Name validDN = new X500Name("C=SE,CN=example.com"); // re-used below CertTools.checkNameConstraints(cacert, validDN, null); CertTools.checkNameConstraints(cacert, new X500Name("C=SE,CN=spacing"), null); // Allowed subject alternative names CertTools.checkNameConstraints(cacert, validDN, new GeneralNames(new GeneralName(GeneralName.dNSName, "example.com"))); CertTools.checkNameConstraints(cacert, validDN, new GeneralNames(new GeneralName(GeneralName.dNSName, "x.sub.example.com"))); CertTools.checkNameConstraints(cacert, validDN, new GeneralNames(new GeneralName(GeneralName.rfc822Name, "someuser@mail.example"))); CertTools.checkNameConstraints(cacert, validDN, new GeneralNames(new GeneralName(GeneralName.rfc822Name, "user@host.com"))); CertTools.checkNameConstraints(cacert, validDN, new GeneralNames(new GeneralName(GeneralName.iPAddress, new DEROctetString(InetAddress.getByName("10.0.0.1").getAddress())))); CertTools.checkNameConstraints(cacert, validDN, new GeneralNames(new GeneralName(GeneralName.iPAddress, new DEROctetString(InetAddress.getByName("10.255.255.255").getAddress())))); // Disallowed subject DN checkNCException(cacert, new X500Name("C=DK,CN=example.com"), null, "Disallowed DN (wrong field value) was accepted"); checkNCException(cacert, new X500Name("C=SE,O=Company,CN=example.com"), null, "Disallowed DN (extra field) was accepted"); // Disallowed SAN // The commented out lines are allowed by BouncyCastle but disallowed by the RFC checkNCException(cacert, validDN, new GeneralName(GeneralName.dNSName, "bad.com"), "Disallowed SAN (wrong DNS name) was accepted"); checkNCException(cacert, validDN, new GeneralName(GeneralName.dNSName, "forbidden.example.com"), "Disallowed SAN (excluded DNS subdomain) was accepted"); checkNCException(cacert, validDN, new GeneralName(GeneralName.rfc822Name, "wronguser@host.com"), "Disallowed SAN (wrong e-mail) was accepted"); checkNCException(cacert, validDN, new GeneralName(GeneralName.iPAddress, new DEROctetString(InetAddress.getByName("10.1.0.1").getAddress())), "Disallowed SAN (excluded IPv4 address) was accepted"); checkNCException(cacert, validDN, new GeneralName(GeneralName.iPAddress, new DEROctetString(InetAddress.getByName("192.0.2.1").getAddress())), "Disallowed SAN (wrong IPv4 address) was accepted"); checkNCException(cacert, validDN, new GeneralName(GeneralName.iPAddress, new DEROctetString(InetAddress.getByName("2001:DB8::").getAddress())), "Disallowed SAN (IPv6 address) was accepted"); }
From source file:org.cesecore.util.PKIXCertRevocationStatusChecker.java
License:Open Source License
/** * Construct an OCSP request// w w w. ja v a 2s. c o m * @param cacert The certificate of the issuer of the certificate to be checked * @param certSerialnumber the serialnumber of the certificate to be checked * @param nonce random nonce to be included in the OCSP request (OCSP POST) * @return OCSPReq * @throws CertificateEncodingException * @throws OCSPException */ private OCSPReq getOcspRequest(Certificate cacert, BigInteger certSerialnumber, final byte[] nonce) throws CertificateEncodingException, OCSPException { OCSPReqBuilder gen = new OCSPReqBuilder(); gen.addRequest(new JcaCertificateID(SHA1DigestCalculator.buildSha1Instance(), (X509Certificate) cacert, certSerialnumber)); Extension[] extensions = new Extension[1]; extensions[0] = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, new DEROctetString(nonce)); gen.setRequestExtensions(new Extensions(extensions)); return gen.build(); }
From source file:org.cesecore.util.provider.EkuPKIXCertPathCheckerTest.java
License:Open Source License
/** @return true if the extendedKeyUsage was accepted */ private boolean validateCert(KeyPair keyPair, boolean isCa, List<String> actualOids, List<String> requiredOids) throws Exception { final long now = System.currentTimeMillis(); final List<Extension> additionalExtensions = new ArrayList<Extension>(); if (actualOids != null) { List<KeyPurposeId> actual = new ArrayList<KeyPurposeId>(); for (final String oid : actualOids) { actual.add(KeyPurposeId.getInstance(new ASN1ObjectIdentifier(oid))); }/*from w ww . j a v a2 s . c o m*/ final ExtendedKeyUsage extendedKeyUsage = new ExtendedKeyUsage(actual.toArray(new KeyPurposeId[0])); final ASN1Sequence seq = ASN1Sequence.getInstance(extendedKeyUsage.toASN1Primitive()); final Extension extension = new Extension(Extension.extendedKeyUsage, true, seq.getEncoded()); additionalExtensions.add(extension); } final int ku; if (isCa) { ku = X509KeyUsage.cRLSign | X509KeyUsage.keyCertSign; } else { ku = X509KeyUsage.digitalSignature | X509KeyUsage.keyEncipherment; } final X509Certificate cert = CertTools.genSelfCertForPurpose("CN=dummy", new Date(now - 3600000L), new Date(now + 3600000L), null, keyPair.getPrivate(), keyPair.getPublic(), AlgorithmConstants.SIGALG_SHA1_WITH_RSA, isCa, ku, null, null, BouncyCastleProvider.PROVIDER_NAME, true, additionalExtensions); final PKIXCertPathChecker pkixCertPathChecker = new EkuPKIXCertPathChecker(requiredOids); final Collection<String> unresolvedCritExts = new ArrayList<String>( Arrays.asList(new String[] { Extension.extendedKeyUsage.getId() })); pkixCertPathChecker.check(cert, unresolvedCritExts); return !unresolvedCritExts.contains(Extension.extendedKeyUsage.getId()); }
From source file:org.cryptable.pki.communication.PKICMPMessages.java
License:Open Source License
/** * Revoke a certificate//w w w. j a v a 2s . c o m * */ public byte[] createRevocationMessage(RevocationInput[] revocationInputs) throws CertificateEncodingException, CMSException, CRMFException, OperatorCreationException, CMPException, IOException, PKICMPMessageException, NoSuchFieldException, IllegalAccessException { List<RevDetails> revDetailsList = new ArrayList<RevDetails>(revocationInputs.length); for (RevocationInput revocationInput : revocationInputs) { List<Extension> extensions = new ArrayList<Extension>(); X509CertificateHolder x509CertificateHolder = new JcaX509CertificateHolder( revocationInput.getX509Certificate()); CertTemplateBuilder certTemplateBuilder = new CertTemplateBuilder(); // Template to fill in certTemplateBuilder.setSubject(x509CertificateHolder.getSubject()) .setIssuer(x509CertificateHolder.getIssuer()) .setSerialNumber(new ASN1Integer(x509CertificateHolder.getSerialNumber())) .setPublicKey(x509CertificateHolder.getSubjectPublicKeyInfo()); // Optional Revocation Extensions if (revocationInput.getReasonCode() != -1) { extensions.add(new Extension(Extension.reasonCode, false, new ReasonFlags(revocationInput.getReasonCode()).getEncoded())); } if (revocationInput.getInvalidityDate() != null) { extensions.add(new Extension(Extension.invalidityDate, false, new Time(revocationInput.getInvalidityDate()).getEncoded())); } if (extensions.size() == 0) { revDetailsList.add(new RevDetails(certTemplateBuilder.build())); } else { revDetailsList.add(new RevDetails(certTemplateBuilder.build(), new Extensions(extensions.toArray(new Extension[extensions.size()])))); } } RevReqContent revReqContent = new RevReqContent( revDetailsList.toArray(new RevDetails[revDetailsList.size()])); return createProtectedPKIMessage(new PKIBody(PKIBody.TYPE_REVOCATION_REQ, revReqContent)); }
From source file:org.cryptable.pki.communication.PKICMPMessagesTest.java
License:Open Source License
/** * Check the extensions in the certification request * * @throws OperatorCreationException//w w w . java 2 s .c o m * @throws PKICMPMessageException * @throws CertificateEncodingException * @throws IOException * @throws CRMFException * @throws CMPException * @throws CMSException */ @Test public void testCertificationWithExtensions() throws OperatorCreationException, PKICMPMessageException, CertificateEncodingException, IOException, CRMFException, CMPException, CMSException, NoSuchFieldException, IllegalAccessException { String distinguishedName = pki.getTestUser1Cert().getSubjectX500Principal().getName(); KeyPair keyPair = new KeyPair(pki.getTestUser1Cert().getPublicKey(), pki.getTestUser1CertPrivateKey()); List<Extension> extensionList = new ArrayList<Extension>(); // KeyUsage extensionList.add(new Extension(X509Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.nonRepudiation).getEncoded())); // Extended keyUsage List<KeyPurposeId> keyPurposeIds = new ArrayList<KeyPurposeId>(); keyPurposeIds.add(KeyPurposeId.getInstance(KeyPurposeId.id_kp_clientAuth)); keyPurposeIds.add(KeyPurposeId.getInstance(KeyPurposeId.id_kp_emailProtection)); extensionList.add(new Extension(X509Extension.extendedKeyUsage, false, new ExtendedKeyUsage(keyPurposeIds.toArray(new KeyPurposeId[keyPurposeIds.size()])).getEncoded())); // Subject alternative names List<GeneralName> generalNames = new ArrayList<GeneralName>(); generalNames.add(new GeneralName(GeneralName.dNSName, "www1.cryptable.org")); generalNames.add(new GeneralName(GeneralName.dNSName, "www2.cryptable.org")); GeneralNames subjectAlternativeName = new GeneralNames( generalNames.toArray(new GeneralName[generalNames.size()])); extensionList.add( new Extension(X509Extension.subjectAlternativeName, false, subjectAlternativeName.getEncoded())); PKICMPMessages pkiMessages = new PKICMPMessages(); pkiMessages.setPkiKeyStore(pkiKeyStoreRA); pkiMessages.setExtensions(extensionList.toArray(new Extension[extensionList.size()])); byte[] result = pkiMessages.createCertificateMessageWithLocalKey(distinguishedName, keyPair); ASN1InputStream asn1InputStream = new ASN1InputStream(result); ASN1Primitive asn1Primitive = asn1InputStream.readObject(); PKIMessage pkiMessage = PKIMessage.getInstance(asn1Primitive); CertReqMsg[] certReqMsgs = CertReqMessages.getInstance(pkiMessage.getBody().getContent()) .toCertReqMsgArray(); // KeyUsage KeyUsage verifyKeyUsage = KeyUsage.getInstance(certReqMsgs[0].getCertReq().getCertTemplate().getExtensions() .getExtensionParsedValue(Extension.keyUsage)); Assert.assertEquals(KeyUsage.digitalSignature | KeyUsage.nonRepudiation, verifyKeyUsage.getBytes()[0] & 0xFF); // Extended KeyUsage ExtendedKeyUsage verifyExtendedKeyUsage = ExtendedKeyUsage .fromExtensions(certReqMsgs[0].getCertReq().getCertTemplate().getExtensions()); Assert.assertTrue(verifyExtendedKeyUsage.hasKeyPurposeId(KeyPurposeId.id_kp_clientAuth)); Assert.assertTrue(verifyExtendedKeyUsage.hasKeyPurposeId(KeyPurposeId.id_kp_emailProtection)); // Subject Alternative Name GeneralNames verifyGeneralNames = GeneralNames.fromExtensions( certReqMsgs[0].getCertReq().getCertTemplate().getExtensions(), Extension.subjectAlternativeName); Assert.assertTrue(generalNames.contains(verifyGeneralNames.getNames()[0])); Assert.assertTrue(generalNames.contains(verifyGeneralNames.getNames()[1])); }
From source file:org.cryptable.pki.communication.PKICMPMessagesTest.java
License:Open Source License
/** * Test the confirmation message from the certification authority * * @throws IOException/* ww w . j a va2 s . c o m*/ * @throws CertificateEncodingException * @throws OperatorCreationException * @throws CMPException */ @Test public void testKeyUpdateWithLocalKeyWithExtensions() throws IOException, CertificateEncodingException, OperatorCreationException, CMPException, PKICMPMessageException, CRMFException, IllegalAccessException, CMSException, NoSuchFieldException { PKICMPMessages pkiMessages = new PKICMPMessages(); pkiMessages.setPkiKeyStore(pkiKeyStoreRA); KeyPair keyPair = new KeyPair(pki.getTestUser2Cert().getPublicKey(), pki.getTestUser2CertPrivateKey()); List<Extension> extensionList = new ArrayList<Extension>(); // KeyUsage extensionList.add(new Extension(X509Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.nonRepudiation).getEncoded())); // Extended keyUsage List<KeyPurposeId> keyPurposeIds = new ArrayList<KeyPurposeId>(); keyPurposeIds.add(KeyPurposeId.getInstance(KeyPurposeId.id_kp_clientAuth)); keyPurposeIds.add(KeyPurposeId.getInstance(KeyPurposeId.id_kp_emailProtection)); extensionList.add(new Extension(X509Extension.extendedKeyUsage, false, new ExtendedKeyUsage(keyPurposeIds.toArray(new KeyPurposeId[keyPurposeIds.size()])).getEncoded())); pkiMessages.setExtensions(extensionList.toArray(new Extension[extensionList.size()])); byte[] result = pkiMessages.createKeyUpdateMessageWithLocalKey(pki.getRACert(), keyPair); ASN1InputStream asn1InputStream = new ASN1InputStream(result); ASN1Primitive asn1Primitive = asn1InputStream.readObject(); PKIMessage pkiMessage = PKIMessage.getInstance(asn1Primitive); // Check the Body CertReqMsg[] certReqMsgs = CertReqMessages.getInstance(pkiMessage.getBody().getContent()) .toCertReqMsgArray(); // Extensions check // KeyUsage KeyUsage verifyKeyUsage = KeyUsage.getInstance(certReqMsgs[0].getCertReq().getCertTemplate().getExtensions() .getExtensionParsedValue(Extension.keyUsage)); Assert.assertEquals(KeyUsage.digitalSignature | KeyUsage.nonRepudiation, verifyKeyUsage.getBytes()[0] & 0xFF); // Extended KeyUsage ExtendedKeyUsage verifyExtendedKeyUsage = ExtendedKeyUsage .fromExtensions(certReqMsgs[0].getCertReq().getCertTemplate().getExtensions()); Assert.assertTrue(verifyExtendedKeyUsage.hasKeyPurposeId(KeyPurposeId.id_kp_clientAuth)); Assert.assertTrue(verifyExtendedKeyUsage.hasKeyPurposeId(KeyPurposeId.id_kp_emailProtection)); }
From source file:org.ejbca.core.protocol.cmp.CmpMessageHelper.java
License:Open Source License
public static RevDetails getNovosecRevDetails(RevReqContent revContent) { // Novosec implements RFC2510, while bouncycastle 1.47 implements RFC4210. ///*from ww w. j a va2 s . co m*/ // In RFC2510/novosec, the RevDetails structure looks like this: // RevDetails ::= SEQUENCE { // certDetails CertTemplate, // revocationReason ReasonFlags OPTIONAL, // badSinceDate GeneralizedTime OPTIONAL, // crlEntryDetails Extensions OPTIONAL // } // // In RFC4210/bouncycastle, the REVDetails structure looks like this: // RevDetails ::= SEQUENCE { // certDetails CertTemplate, // crlEntryDetails Extensions OPTIONAL // } // // This means that there is a chance that the request generated using novosec specifies the revocation reason in 'revocationReason' and not // as an extension, leading to Ejbca not being able to parse the request using bouncycastle OR not setting the correct revocation reason. ASN1Encodable o2 = ((DERSequence) revContent.toASN1Primitive()).getObjectAt(0); ASN1Encodable o3 = ((DERSequence) o2).getObjectAt(0); CertTemplate ct = CertTemplate.getInstance(o3); ReasonFlags reasonbits = null; Extensions crlEntryDetails = null; int seqSize = ((DERSequence) o2).size(); for (int i = 1; i < seqSize; i++) { ASN1Encodable o4 = ((DERSequence) o2).getObjectAt(i); if (o4 instanceof DERBitString) { reasonbits = new ReasonFlags((DERBitString) o4); } else if (o4 instanceof DERGeneralizedTime) { DERGeneralizedTime.getInstance(o4); // bad since time, not used in the bouncycastle class } else if (o4 instanceof DERSequence) { crlEntryDetails = Extensions.getInstance(o4); } } if ((crlEntryDetails != null) && (reasonbits != null)) { Extension reason = crlEntryDetails.getExtension(Extension.reasonCode); if (reason == null) { reason = new Extension(Extension.reasonCode, true, ASN1OctetString.getInstance(reasonbits.getBytes())); } } else if ((crlEntryDetails == null) && (reasonbits != null)) { ExtensionsGenerator extgen = new ExtensionsGenerator(); try { extgen.addExtension(Extension.reasonCode, true, ASN1OctetString.getInstance(reasonbits.getBytes())); crlEntryDetails = extgen.generate(); } catch (IOException e) { LOG.error(e.getLocalizedMessage(), e); } } //The constructor RevDetails(certTemplate, crlEntryDetails) only sets 'crlEntryDetails' and ignores 'certTemplate' //This is a reported bug in bouncycastle. For now, the only way to have both of them set is to create a ASN1/DERSequence ASN1EncodableVector seq = new ASN1EncodableVector(); seq.add(ct); seq.add(crlEntryDetails); RevDetails res = RevDetails.getInstance(new DERSequence(seq)); return res; }
From source file:org.ejbca.core.protocol.ocsp.extension.certhash.OcspCertHashExtension.java
License:Open Source License
@Override public Map<ASN1ObjectIdentifier, Extension> process(X509Certificate[] requestCertificates, String remoteAddress, String remoteHost, X509Certificate cert, org.bouncycastle.cert.ocsp.CertificateStatus status) { MessageDigest md = null;//from w w w . ja v a2 s. c om try { md = MessageDigest.getInstance("SHA256"); } catch (NoSuchAlgorithmException e) { //This state can't be handled, shouldn't return null log.error("Could not create MessageDigest with algorithm SHA256", e); throw new IllegalStateException("Could not create MessageDigest with algorithm SHA256", e); } CertHash certHash; try { certHash = new CertHash(new AlgorithmIdentifier(SHA256), md.digest(cert.getEncoded())); } catch (CertificateEncodingException e) { //This state can't be handled, shouldn't return null log.error("Could not encode certificate " + cert, e); throw new IllegalStateException("Could not encode certificate " + cert, e); } HashMap<ASN1ObjectIdentifier, Extension> result = new HashMap<ASN1ObjectIdentifier, Extension>(); try { result.put(new ASN1ObjectIdentifier(CERT_HASH_OID), new Extension(new ASN1ObjectIdentifier(CERT_HASH_OID), false, new DEROctetString(certHash))); } catch (IOException e) { throw new IllegalStateException("Could not construct an ASN.1Primitive.", e); } return result; }
From source file:org.ejbca.core.protocol.ocsp.extension.unid.OCSPUnidExtension.java
License:Open Source License
@Override public Map<ASN1ObjectIdentifier, Extension> process(X509Certificate[] requestCertificates, String remoteAddress, String remoteHost, X509Certificate cert, CertificateStatus status) { if (m_log.isTraceEnabled()) { m_log.trace(">process()"); }/* w w w .java2 s. c o m*/ // Check authorization first if (!checkAuthorization(requestCertificates, remoteAddress, remoteHost)) { errCode = OCSPUnidExtension.ERROR_UNAUTHORIZED; return null; } // If the certificate is revoked, we must not return an FNR if (status != null) { errCode = OCSPUnidExtension.ERROR_CERT_REVOKED; return null; } Connection con = null; PreparedStatement ps = null; ResultSet result = null; String fnr = null; String sn = null; try { // The Unis is in the DN component serialNumber sn = CertTools.getPartFromDN(cert.getSubjectDN().getName(), "SN"); if (sn != null) { if (m_log.isDebugEnabled()) { m_log.debug("Found serialNumber: " + sn); } String iMsg = intres.getLocalizedMessage("ocsp.receivedunidreq", remoteAddress, remoteHost, sn); m_log.info(iMsg); try { con = ServiceLocator.getInstance().getDataSource(dataSourceJndi).getConnection(); } catch (SQLException e) { String errMsg = intres.getLocalizedMessage("ocsp.errordatabaseunid"); m_log.error(errMsg, e); errCode = OCSPUnidExtension.ERROR_SERVICE_UNAVAILABLE; return null; } ps = con.prepareStatement("select fnr from UnidFnrMapping where unid=?"); ps.setString(1, sn); result = ps.executeQuery(); if (result.next()) { fnr = result.getString(1); } } else { String errMsg = intres.getLocalizedMessage("ocsp.errorunidnosnindn", cert.getSubjectDN().getName()); m_log.error(errMsg); errCode = OCSPUnidExtension.ERROR_NO_SERIAL_IN_DN; return null; } m_log.trace("<process()"); } catch (Exception e) { throw new EJBException(e); } finally { JDBCUtil.close(con, ps, result); } // Construct the response extentsion if we found a mapping if (fnr == null) { String errMsg = intres.getLocalizedMessage("ocsp.errorunidnosnmapping", sn); m_log.error(errMsg); errCode = OCSPUnidExtension.ERROR_NO_FNR_MAPPING; return null; } String errMsg = intres.getLocalizedMessage("ocsp.returnedunidresponse", remoteAddress, remoteHost, fnr, sn); m_log.info(errMsg); FnrFromUnidExtension ext = new FnrFromUnidExtension(fnr); HashMap<ASN1ObjectIdentifier, Extension> ret = new HashMap<ASN1ObjectIdentifier, Extension>(); try { ret.put(FnrFromUnidExtension.FnrFromUnidOid, new Extension(FnrFromUnidExtension.FnrFromUnidOid, false, new DEROctetString(ext))); } catch (IOException e) { throw new IllegalStateException("Unexpected IOException caught.", e); } return ret; }