List of usage examples for org.bouncycastle.asn1.x509 Extension subjectKeyIdentifier
ASN1ObjectIdentifier subjectKeyIdentifier
To view the source code for org.bouncycastle.asn1.x509 Extension subjectKeyIdentifier.
Click Source Link
From source file:org.xipki.ca.certprofile.internal.ProfileConfCreatorDemo.java
License:Open Source License
private static X509ProfileType Certprofile_gSMC_K() throws Exception { X509ProfileType profile = getBaseProfile("Certprofile gSMC_K", false, "5y", false, new String[] { "SHA256" }); profile.setDuplicateSubject(true);//from w ww. j a va 2 s. c om // SpecialBehavior profile.setSpecialBehavior(SpecialX509CertprofileBehavior.gematik_gSMC_K.name()); // Maximal liftime Parameters profileParams = new Parameters(); profile.setParameters(profileParams); NameValueType nv = new NameValueType(); nv.setName(SpecialX509CertprofileBehavior.PARAMETER_MAXLIFTIME); nv.setValue(Integer.toString(20 * 365)); profileParams.getParameter().add(nv); // Subject Subject subject = profile.getSubject(); subject.setIncSerialNumber(false); List<RdnType> rdnControls = subject.getRdn(); rdnControls.add(createRDN(ObjectIdentifiers.DN_C, 1, 1, new String[] { "DE" }, null, null)); rdnControls.add(createRDN(ObjectIdentifiers.DN_O, 1, 1)); rdnControls.add(createRDN(ObjectIdentifiers.DN_OU, 0, 1)); rdnControls.add(createRDN(ObjectIdentifiers.DN_ST, 0, 1)); rdnControls.add(createRDN(ObjectIdentifiers.DN_L, 0, 1)); rdnControls.add(createRDN(ObjectIdentifiers.DN_POSTAL_CODE, 0, 1)); rdnControls.add(createRDN(ObjectIdentifiers.DN_STREET, 0, 1)); // regex: ICCSN-yyyyMMdd String regex = "80276[\\d]{15,15}-20\\d\\d(0[1-9]|1[012])(0[1-9]|[12][0-9]|3[01])"; rdnControls.add(createRDN(ObjectIdentifiers.DN_CN, 1, 1, new String[] { regex }, null, null)); // Extensions ExtensionsType extensions = profile.getExtensions(); List<ExtensionType> list = extensions.getExtension(); list.add(createExtension(Extension.subjectKeyIdentifier, true, false, null)); list.add(createExtension(Extension.cRLDistributionPoints, false, false, null)); // Extensions - basicConstraints ExtensionValueType extensionValue = null; list.add(createExtension(Extension.basicConstraints, true, true, extensionValue)); // Extensions - AuthorityInfoAccess extensionValue = createAuthorityInfoAccess(); list.add(createExtension(Extension.authorityInfoAccess, true, false, extensionValue)); // Extensions - AuthorityKeyIdentifier extensionValue = createAuthorityKeyIdentifier(true); list.add(createExtension(Extension.authorityKeyIdentifier, true, false, extensionValue)); // Extensions - keyUsage extensionValue = createKeyUsages( new KeyUsageEnum[] { KeyUsageEnum.DIGITAL_SIGNATURE, KeyUsageEnum.KEY_ENCIPHERMENT }, null); list.add(createExtension(Extension.keyUsage, true, true, extensionValue)); // Extensions - extenedKeyUsage extensionValue = createExtendedKeyUsage(new ASN1ObjectIdentifier[] { ObjectIdentifiers.id_kp_serverAuth }, new ASN1ObjectIdentifier[] { ObjectIdentifiers.id_kp_clientAuth }); list.add(createExtension(Extension.extendedKeyUsage, true, false, extensionValue)); // Extensions - Policy CertificatePolicies policies = new CertificatePolicies(); ASN1ObjectIdentifier[] policyIds = new ASN1ObjectIdentifier[] { id_gematik.branch("79"), id_gematik.branch("163") }; for (ASN1ObjectIdentifier id : policyIds) { CertificatePolicyInformationType policyInfo = new CertificatePolicyInformationType(); policies.getCertificatePolicyInformation().add(policyInfo); policyInfo.setPolicyIdentifier(createOidType(id)); } extensionValue = createExtensionValueType(policies); list.add(createExtension(Extension.certificatePolicies, true, false, extensionValue)); // Extension - Adminssion Admission admission = new Admission(); admission.getProfessionOid().add(createOidType(id_gematik.branch("103"))); admission.getProfessionItem().add("Anwendungskonnektor"); extensionValue = createExtensionValueType(admission); list.add(createExtension(ObjectIdentifiers.id_extension_admission, true, false, extensionValue)); // SubjectAltNames extensionValue = null; list.add(createExtension(Extension.subjectAlternativeName, false, false, extensionValue)); return profile; }
From source file:org.xipki.ca.certprofile.internal.ProfileConfCreatorDemo.java
License:Open Source License
private static X509ProfileType Certprofile_MultipleOUs() throws Exception { X509ProfileType profile = getBaseProfile("Certprofile Multiple OUs DEMO", false, "5y", false, new String[] { "SHA1" }); // Subject// w ww . j a v a2 s. c om Subject subject = profile.getSubject(); subject.setIncSerialNumber(false); List<RdnType> rdnControls = subject.getRdn(); rdnControls.add(createRDN(ObjectIdentifiers.DN_C, 1, 1, new String[] { "DE|FR" }, null, null)); rdnControls.add(createRDN(ObjectIdentifiers.DN_O, 1, 1)); final String regex_ou1 = "[A-Z]{1,1}[\\d]{5,5}"; final String regex_ou2 = "[\\d]{5,5}"; rdnControls .add(createRDN(ObjectIdentifiers.DN_OU, 2, 2, new String[] { regex_ou1, regex_ou2 }, null, null)); rdnControls.add(createRDN(ObjectIdentifiers.DN_SN, 0, 1, new String[] { REGEX_SN }, null, null)); rdnControls.add(createRDN(ObjectIdentifiers.DN_CN, 1, 1)); // Extensions // Extensions - general ExtensionsType extensions = profile.getExtensions(); List<ExtensionType> list = extensions.getExtension(); list.add(createExtension(Extension.subjectKeyIdentifier, true, false, null)); list.add(createExtension(Extension.cRLDistributionPoints, false, false, null)); list.add(createExtension(Extension.freshestCRL, false, false, null)); // Extensions - basicConstraints ExtensionValueType extensionValue = null; list.add(createExtension(Extension.basicConstraints, true, true, extensionValue)); // Extensions - AuthorityInfoAccess extensionValue = createAuthorityInfoAccess(); list.add(createExtension(Extension.authorityInfoAccess, true, false, extensionValue)); // Extensions - AuthorityKeyIdentifier extensionValue = createAuthorityKeyIdentifier(true); list.add(createExtension(Extension.authorityKeyIdentifier, true, false, extensionValue)); // Extensions - keyUsage extensionValue = createKeyUsages(new KeyUsageEnum[] { KeyUsageEnum.CONTENT_COMMITMENT }, null); list.add(createExtension(Extension.keyUsage, true, true, extensionValue)); return profile; }
From source file:org.xipki.ca.qa.impl.X509CertprofileQAImpl.java
License:Open Source License
private List<ValidationIssue> checkExtensions(final Certificate bcCert, final X509Certificate cert, final X509IssuerInfo issuerInfo, final Extensions requestExtensions) { List<ValidationIssue> result = new LinkedList<>(); // detect the list of extension types in certificate Set<ASN1ObjectIdentifier> presentExtenionTypes = getExensionTypes(bcCert, issuerInfo, requestExtensions); Extensions extensions = bcCert.getTBSCertificate().getExtensions(); ASN1ObjectIdentifier[] oids = extensions.getExtensionOIDs(); if (oids == null) { ValidationIssue issue = new ValidationIssue("X509.EXT.GEN", "extension general"); result.add(issue);/*ww w.ja v a 2 s .co m*/ issue.setFailureMessage("no extension is present"); return result; } List<ASN1ObjectIdentifier> certExtTypes = Arrays.asList(oids); for (ASN1ObjectIdentifier extType : presentExtenionTypes) { if (certExtTypes.contains(extType) == false) { ValidationIssue issue = createExtensionIssue(extType); result.add(issue); issue.setFailureMessage("extension is absent but is required"); } } for (ASN1ObjectIdentifier oid : certExtTypes) { ValidationIssue issue = createExtensionIssue(oid); result.add(issue); if (presentExtenionTypes.contains(oid) == false) { issue.setFailureMessage("extension is present but is not permitted"); continue; } Extension ext = extensions.getExtension(oid); StringBuilder failureMsg = new StringBuilder(); ExtensionControl extControl = extensionControls.get(oid); if (extControl.isCritical() != ext.isCritical()) { failureMsg.append( "critical is '" + ext.isCritical() + "' but expected '" + extControl.isCritical() + "'"); failureMsg.append("; "); } byte[] extensionValue = ext.getExtnValue().getOctets(); try { if (Extension.authorityKeyIdentifier.equals(oid)) { // AuthorityKeyIdentifier checkExtensionIssuerKeyIdentifier(failureMsg, extensionValue, issuerInfo); } else if (Extension.subjectKeyIdentifier.equals(oid)) { // SubjectKeyIdentifier checkExtensionSubjectKeyIdentifier(failureMsg, extensionValue, bcCert.getSubjectPublicKeyInfo()); } else if (Extension.keyUsage.equals(oid)) { // KeyUsage checkExtensionKeyUsage(failureMsg, extensionValue, cert.getKeyUsage(), requestExtensions, extControl); } else if (Extension.certificatePolicies.equals(oid)) { // CertificatePolicies checkExtensionCertificatePolicies(failureMsg, extensionValue, requestExtensions, extControl); } else if (Extension.policyMappings.equals(oid)) { // Policy Mappings checkExtensionPolicyMappings(failureMsg, extensionValue, requestExtensions, extControl); } else if (Extension.subjectAlternativeName.equals(oid)) { // SubjectAltName checkExtensionSubjectAltName(failureMsg, extensionValue, requestExtensions, extControl); } else if (Extension.issuerAlternativeName.equals(oid)) { // IssuerAltName checkExtensionIssuerAltNames(failureMsg, extensionValue, issuerInfo); } else if (Extension.basicConstraints.equals(oid)) { // Basic Constraints checkExtensionBasicConstraints(failureMsg, extensionValue); } else if (Extension.nameConstraints.equals(oid)) { // Name Constraints checkExtensionNameConstraints(failureMsg, extensionValue, extensions, extControl); } else if (Extension.policyConstraints.equals(oid)) { // PolicyConstrains checkExtensionPolicyConstraints(failureMsg, extensionValue, requestExtensions, extControl); } else if (Extension.extendedKeyUsage.equals(oid)) { // ExtendedKeyUsage checkExtensionExtendedKeyUsage(failureMsg, extensionValue, requestExtensions, extControl); } else if (Extension.cRLDistributionPoints.equals(oid)) { // CRL Distribution Points checkExtensionCrlDistributionPoints(failureMsg, extensionValue, issuerInfo); continue; } else if (Extension.inhibitAnyPolicy.equals(oid)) { // Inhibit anyPolicy checkExtensionInhibitAnyPolicy(failureMsg, extensionValue, extensions, extControl); } else if (Extension.freshestCRL.equals(oid)) { // Freshest CRL checkExtensionDeltaCrlDistributionPoints(failureMsg, extensionValue, issuerInfo); } else if (Extension.authorityInfoAccess.equals(oid)) { // Authority Information Access checkExtensionAuthorityInfoAccess(failureMsg, extensionValue, issuerInfo); } else if (Extension.subjectInfoAccess.equals(oid)) { // SubjectInfoAccess checkExtensionSubjectInfoAccess(failureMsg, extensionValue, requestExtensions, extControl); } else if (ObjectIdentifiers.id_extension_admission.equals(oid)) { // Admission checkExtensionAdmission(failureMsg, extensionValue, requestExtensions, extControl); } else if (ObjectIdentifiers.id_extension_pkix_ocsp_nocheck.equals(oid)) { // ocsp-nocheck checkExtensionOcspNocheck(failureMsg, extensionValue); } else { byte[] expected = getExpectedExtValue(oid, requestExtensions, extControl); if (Arrays.equals(expected, extensionValue) == false) { failureMsg.append("extension valus is '" + hex(extensionValue) + "' but expected '" + (expected == null ? "not present" : hex(expected)) + "'"); failureMsg.append("; "); } } if (failureMsg.length() > 0) { issue.setFailureMessage(failureMsg.toString()); } } catch (IllegalArgumentException | ClassCastException | ArrayIndexOutOfBoundsException e) { LOG.debug("extension value does not have correct syntax", e); issue.setFailureMessage("extension value does not have correct syntax"); } } return result; }
From source file:org.xipki.ca.qa.impl.X509CertprofileQAImpl.java
License:Open Source License
private Set<ASN1ObjectIdentifier> getExensionTypes(final Certificate cert, final X509IssuerInfo issuerInfo, final Extensions requestedExtensions) { Set<ASN1ObjectIdentifier> types = new HashSet<>(); // profile required extension types for (ASN1ObjectIdentifier oid : extensionControls.keySet()) { if (extensionControls.get(oid).isRequired()) { types.add(oid);// w ww. j a v a 2 s . c o m } } Set<ASN1ObjectIdentifier> wantedExtensionTypes = new HashSet<>(); if (requestedExtensions != null) { Extension reqExtension = requestedExtensions .getExtension(ObjectIdentifiers.id_xipki_ext_cmpRequestExtensions); if (reqExtension != null) { ExtensionExistence ee = ExtensionExistence.getInstance(reqExtension.getParsedValue()); types.addAll(ee.getNeedExtensions()); wantedExtensionTypes.addAll(ee.getWantExtensions()); } } if (CollectionUtil.isEmpty(wantedExtensionTypes)) { return types; } // wanted extension types // Authority key identifier ASN1ObjectIdentifier type = Extension.authorityKeyIdentifier; if (wantedExtensionTypes.contains(type)) { types.add(type); } // Subject key identifier type = Extension.subjectKeyIdentifier; if (wantedExtensionTypes.contains(type)) { types.add(type); } // KeyUsage type = Extension.keyUsage; if (wantedExtensionTypes.contains(type)) { boolean required = false; if (requestedExtensions.getExtension(type) != null) { required = true; } if (required == false) { Set<KeyUsageControl> requiredKeyusage = getKeyusage(true); if (CollectionUtil.isNotEmpty(requiredKeyusage)) { required = true; } } if (required) { types.add(type); } } // CertificatePolicies type = Extension.certificatePolicies; if (wantedExtensionTypes.contains(type)) { if (certificatePolicies != null) { types.add(type); } } // Policy Mappings type = Extension.policyMappings; if (wantedExtensionTypes.contains(type)) { if (policyMappings != null) { types.add(type); } } // SubjectAltNames type = Extension.subjectAlternativeName; if (wantedExtensionTypes.contains(type)) { if (requestedExtensions.getExtension(type) != null) { types.add(type); } } // IssuerAltName type = Extension.issuerAlternativeName; if (wantedExtensionTypes.contains(type)) { if (cert.getTBSCertificate().getExtensions().getExtension(Extension.subjectAlternativeName) != null) { types.add(type); } } // BasicConstraints type = Extension.basicConstraints; if (wantedExtensionTypes.contains(type)) { types.add(type); } // Name Constraints type = Extension.nameConstraints; if (wantedExtensionTypes.contains(type)) { if (nameConstraints != null) { types.add(type); } } // PolicyConstrains type = Extension.policyConstraints; if (wantedExtensionTypes.contains(type)) { if (policyConstraints != null) { types.add(type); } } // ExtendedKeyUsage type = Extension.extendedKeyUsage; if (wantedExtensionTypes.contains(type)) { boolean required = false; if (requestedExtensions.getExtension(type) != null) { required = true; } if (required == false) { Set<ExtKeyUsageControl> requiredExtKeyusage = getExtKeyusage(true); if (CollectionUtil.isNotEmpty(requiredExtKeyusage)) { required = true; } } if (required) { types.add(type); } } // CRLDistributionPoints type = Extension.cRLDistributionPoints; if (wantedExtensionTypes.contains(type)) { if (issuerInfo.getCrlURLs() != null) { types.add(type); } } // Inhibit anyPolicy type = Extension.inhibitAnyPolicy; if (wantedExtensionTypes.contains(type)) { if (inhibitAnyPolicy != null) { types.add(type); } } // FreshestCRL type = Extension.freshestCRL; if (wantedExtensionTypes.contains(type)) { if (issuerInfo.getDeltaCrlURLs() != null) { types.add(type); } } // AuthorityInfoAccess type = Extension.authorityInfoAccess; if (wantedExtensionTypes.contains(type)) { if (issuerInfo.getOcspURLs() != null) { types.add(type); } } // SubjectInfoAccess type = Extension.subjectInfoAccess; if (wantedExtensionTypes.contains(type)) { if (requestedExtensions.getExtension(type) != null) { types.add(type); } } // Admission type = ObjectIdentifiers.id_extension_admission; if (wantedExtensionTypes.contains(type)) { if (admission != null) { types.add(type); } } // ocsp-nocheck type = ObjectIdentifiers.id_extension_pkix_ocsp_nocheck; if (wantedExtensionTypes.contains(type)) { types.add(type); } wantedExtensionTypes.removeAll(types); for (ASN1ObjectIdentifier oid : wantedExtensionTypes) { if (requestedExtensions.getExtension(oid) != null) { if (constantExtensions.containsKey(oid)) { types.add(oid); } } } return types; }
From source file:org.xipki.ca.server.impl.IdentifiedX509Certprofile.java
License:Open Source License
public ExtensionValues getExtensions(final X500Name requestedSubject, final Extensions requestExtensions, final SubjectPublicKeyInfo publicKeyInfo, final PublicCAInfo publicCaInfo, final X509Certificate crlSignerCert) throws CertprofileException, BadCertTemplateException { ExtensionValues values = new ExtensionValues(); Map<ASN1ObjectIdentifier, ExtensionControl> controls = new HashMap<>(certprofile.getExtensionControls()); Set<ASN1ObjectIdentifier> neededExtensionTypes = new HashSet<>(); Set<ASN1ObjectIdentifier> wantedExtensionTypes = new HashSet<>(); if (requestExtensions != null) { Extension reqExtension = requestExtensions .getExtension(ObjectIdentifiers.id_xipki_ext_cmpRequestExtensions); if (reqExtension != null) { ExtensionExistence ee = ExtensionExistence.getInstance(reqExtension.getParsedValue()); neededExtensionTypes.addAll(ee.getNeedExtensions()); wantedExtensionTypes.addAll(ee.getWantExtensions()); }/* ww w .ja v a2s .c o m*/ for (ASN1ObjectIdentifier oid : neededExtensionTypes) { if (wantedExtensionTypes.contains(oid)) { wantedExtensionTypes.remove(oid); } if (controls.containsKey(oid) == false) { throw new BadCertTemplateException("could not add needed extension " + oid.getId()); } } } // SubjectKeyIdentifier ASN1ObjectIdentifier extType = Extension.subjectKeyIdentifier; ExtensionControl extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtensionTypes, wantedExtensionTypes)) { MessageDigest sha1; try { sha1 = MessageDigest.getInstance("SHA-1"); } catch (NoSuchAlgorithmException e) { throw new CertprofileException(e.getMessage(), e); } byte[] skiValue = sha1.digest(publicKeyInfo.getPublicKeyData().getBytes()); SubjectKeyIdentifier value = new SubjectKeyIdentifier(skiValue); addExtension(values, extType, value, extControl, neededExtensionTypes, wantedExtensionTypes); } // Authority key identifier extType = Extension.authorityKeyIdentifier; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtensionTypes, wantedExtensionTypes)) { byte[] ikiValue = publicCaInfo.getSubjectKeyIdentifer(); AuthorityKeyIdentifier value = null; if (ikiValue != null) { if (certprofile.includeIssuerAndSerialInAKI()) { GeneralNames x509CaSubject = new GeneralNames(new GeneralName(publicCaInfo.getX500Subject())); value = new AuthorityKeyIdentifier(ikiValue, x509CaSubject, publicCaInfo.getSerialNumber()); } else { value = new AuthorityKeyIdentifier(ikiValue); } } addExtension(values, extType, value, extControl, neededExtensionTypes, wantedExtensionTypes); } // IssuerAltName extType = Extension.issuerAlternativeName; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtensionTypes, wantedExtensionTypes)) { GeneralNames value = publicCaInfo.getSubjectAltName(); addExtension(values, extType, value, extControl, neededExtensionTypes, wantedExtensionTypes); } // AuthorityInfoAccess extType = Extension.authorityInfoAccess; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtensionTypes, wantedExtensionTypes)) { AuthorityInfoAccessControl aiaControl = certprofile.getAIAControl(); List<String> caIssuers = null; if (aiaControl == null || aiaControl.includesCaIssuers()) { caIssuers = publicCaInfo.getCaCertUris(); } List<String> ocspUris = null; if (aiaControl == null || aiaControl.includesOcsp()) { ocspUris = publicCaInfo.getOcspUris(); } AuthorityInformationAccess value = X509CertUtil.createAuthorityInformationAccess(caIssuers, ocspUris); addExtension(values, extType, value, extControl, neededExtensionTypes, wantedExtensionTypes); } if (controls.containsKey(Extension.cRLDistributionPoints) || controls.containsKey(Extension.freshestCRL)) { X500Name crlSignerSubject = null; if (crlSignerCert != null) { crlSignerSubject = X500Name.getInstance(crlSignerCert.getSubjectX500Principal().getEncoded()); } X500Name x500CaPrincipal = publicCaInfo.getX500Subject(); // CRLDistributionPoints extType = Extension.cRLDistributionPoints; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtensionTypes, wantedExtensionTypes)) { CRLDistPoint value; try { value = X509CertUtil.createCRLDistributionPoints(publicCaInfo.getCrlUris(), x500CaPrincipal, crlSignerSubject); } catch (IOException e) { throw new CertprofileException(e.getMessage(), e); } addExtension(values, extType, value, extControl, neededExtensionTypes, wantedExtensionTypes); } // FreshestCRL extType = Extension.freshestCRL; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtensionTypes, wantedExtensionTypes)) { CRLDistPoint value; try { value = X509CertUtil.createCRLDistributionPoints(publicCaInfo.getDeltaCrlUris(), x500CaPrincipal, crlSignerSubject); } catch (IOException e) { throw new CertprofileException(e.getMessage(), e); } addExtension(values, extType, value, extControl, neededExtensionTypes, wantedExtensionTypes); } } // BasicConstraints extType = Extension.basicConstraints; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtensionTypes, wantedExtensionTypes)) { BasicConstraints value = X509CertUtil.createBasicConstraints(certprofile.isCA(), certprofile.getPathLenBasicConstraint()); addExtension(values, extType, value, extControl, neededExtensionTypes, wantedExtensionTypes); } // KeyUsage extType = Extension.keyUsage; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtensionTypes, wantedExtensionTypes)) { Set<KeyUsage> usages = new HashSet<>(); Set<KeyUsageControl> usageOccs = certprofile.getKeyUsage(); for (KeyUsageControl k : usageOccs) { if (k.isRequired()) { usages.add(k.getKeyUsage()); } } // the optional KeyUsage will only be set if requested explicitly if (requestExtensions != null && extControl.isRequest()) { addRequestedKeyusage(usages, requestExtensions, usageOccs); } org.bouncycastle.asn1.x509.KeyUsage value = X509Util.createKeyUsage(usages); addExtension(values, extType, value, extControl, neededExtensionTypes, wantedExtensionTypes); } // ExtendedKeyUsage extType = Extension.extendedKeyUsage; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtensionTypes, wantedExtensionTypes)) { Set<ASN1ObjectIdentifier> usages = new HashSet<>(); Set<ExtKeyUsageControl> usageOccs = certprofile.getExtendedKeyUsages(); for (ExtKeyUsageControl k : usageOccs) { if (k.isRequired()) { usages.add(k.getExtKeyUsage()); } } // the optional ExtKeyUsage will only be set if requested explicitly if (requestExtensions != null && extControl.isRequest()) { addRequestedExtKeyusage(usages, requestExtensions, usageOccs); } if (extControl.isCritical() && usages.contains(ObjectIdentifiers.anyExtendedKeyUsage)) { extControl = new ExtensionControl(false, extControl.isRequired(), extControl.isRequest()); } ExtendedKeyUsage value = X509Util.createExtendedUsage(usages); addExtension(values, extType, value, extControl, neededExtensionTypes, wantedExtensionTypes); } // ocsp-nocheck extType = ObjectIdentifiers.id_extension_pkix_ocsp_nocheck; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtensionTypes, wantedExtensionTypes)) { // the extension ocsp-nocheck will only be set if requested explicitly DERNull value = DERNull.INSTANCE; addExtension(values, extType, value, extControl, neededExtensionTypes, wantedExtensionTypes); } // SubjectAltName extType = Extension.subjectAlternativeName; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtensionTypes, wantedExtensionTypes)) { GeneralNames value = null; if (requestExtensions != null && extControl.isRequest()) { value = createRequestedSubjectAltNames(requestExtensions, certprofile.getSubjectAltNameModes()); } addExtension(values, extType, value, extControl, neededExtensionTypes, wantedExtensionTypes); } // SubjectInfoAccess extType = Extension.subjectInfoAccess; extControl = controls.remove(extType); if (extControl != null && addMe(extType, extControl, neededExtensionTypes, wantedExtensionTypes)) { ASN1Sequence value = null; if (requestExtensions != null && extControl.isRequest()) { value = createSubjectInfoAccess(requestExtensions, certprofile.getSubjectInfoAccessModes()); } addExtension(values, extType, value, extControl, neededExtensionTypes, wantedExtensionTypes); } ExtensionValues subvalues = certprofile.getExtensions(Collections.unmodifiableMap(controls), requestedSubject, requestExtensions); Set<ASN1ObjectIdentifier> extTypes = new HashSet<>(controls.keySet()); for (ASN1ObjectIdentifier type : extTypes) { extControl = controls.remove(type); boolean addMe = addMe(type, extControl, neededExtensionTypes, wantedExtensionTypes); if (addMe) { ExtensionValue value = null; if (extControl.isRequest()) { Extension reqExt = requestExtensions.getExtension(type); if (reqExt != null) { value = new ExtensionValue(reqExt.isCritical(), reqExt.getParsedValue()); } } if (value == null) { value = subvalues.getExtensionValue(type); } addExtension(values, type, value, extControl, neededExtensionTypes, wantedExtensionTypes); } } Set<ASN1ObjectIdentifier> unprocessedExtTypes = new HashSet<>(); for (ASN1ObjectIdentifier type : controls.keySet()) { if (controls.get(type).isRequired()) { unprocessedExtTypes.add(type); } } if (CollectionUtil.isNotEmpty(unprocessedExtTypes)) { throw new CertprofileException("could not add required extensions " + toString(unprocessedExtTypes)); } if (CollectionUtil.isNotEmpty(neededExtensionTypes)) { throw new BadCertTemplateException( "could not add requested extensions " + toString(neededExtensionTypes)); } return values; }
From source file:org.xipki.ca.server.impl.X509CrlSignerEntryWrapper.java
License:Open Source License
public void initSigner(final SecurityFactory securityFactory) throws SignerException, OperationException, ConfigurationException { if (signer != null) { return;//from w w w . j a v a 2s. c o m } if (dbEntry == null) { throw new SignerException("dbEntry is null"); } if ("CA".equals(dbEntry.getType())) { return; } X509Certificate responderCert = dbEntry.getCertificate(); signer = securityFactory.createSigner(dbEntry.getType(), dbEntry.getConf(), responderCert); if (dbEntry.getBase64Cert() == null) { dbEntry.setCertificate(signer.getCertificate()); } byte[] encodedSkiValue = signer.getCertificate().getExtensionValue(Extension.subjectKeyIdentifier.getId()); if (encodedSkiValue == null) { throw new OperationException(ErrorCode.INVALID_EXTENSION, "CA certificate does not have required extension SubjectKeyIdentifier"); } ASN1OctetString ski; try { ski = (ASN1OctetString) X509ExtensionUtil.fromExtensionValue(encodedSkiValue); } catch (IOException e) { throw new OperationException(ErrorCode.INVALID_EXTENSION, e.getMessage()); } this.subjectKeyIdentifier = ski.getOctets(); if (X509Util.hasKeyusage(signer.getCertificate(), KeyUsage.cRLSign) == false) { throw new OperationException(ErrorCode.SYSTEM_FAILURE, "CRL signer does not have keyusage cRLSign"); } }
From source file:org.xipki.certprofile.demo.x509.DemoEE1X509Certprofile.java
License:Open Source License
public DemoEE1X509Certprofile() { validity = new CertValidity(10, Unit.YEAR); Set<KeyUsageControl> _keyUsage = new HashSet<>(); _keyUsage.add(new KeyUsageControl(KeyUsage.digitalSignature, true)); _keyUsage.add(new KeyUsageControl(KeyUsage.dataEncipherment, true)); keyUsage = Collections.unmodifiableSet(_keyUsage); extensionControls = new HashMap<>(); extensionControls.put(Extension.authorityKeyIdentifier, new ExtensionControl(false, true, false)); extensionControls.put(Extension.freshestCRL, new ExtensionControl(false, false, false)); extensionControls.put(Extension.issuerAlternativeName, new ExtensionControl(false, false, false)); extensionControls.put(Extension.subjectKeyIdentifier, new ExtensionControl(false, true, false)); extensionControls.put(Extension.cRLDistributionPoints, new ExtensionControl(false, false, false)); extensionControls.put(Extension.authorityKeyIdentifier, new ExtensionControl(false, true, false)); extensionControls.put(Extension.authorityInfoAccess, new ExtensionControl(false, false, false)); extensionControls.put(Extension.basicConstraints, new ExtensionControl(true, true, false)); extensionControls.put(Extension.keyUsage, new ExtensionControl(true, true, true)); }
From source file:org.xipki.certprofile.demo.x509.DemoEE2X509Certprofile.java
License:Open Source License
public DemoEE2X509Certprofile() { validity = new CertValidity(10, Unit.YEAR); Set<KeyUsageControl> _keyUsage = new HashSet<>(); _keyUsage.add(new KeyUsageControl(KeyUsage.digitalSignature, true)); _keyUsage.add(new KeyUsageControl(KeyUsage.dataEncipherment, true)); keyUsage = Collections.unmodifiableSet(_keyUsage); extensionControls = new HashMap<>(); extensionControls.put(Extension.authorityKeyIdentifier, new ExtensionControl(false, true, false)); extensionControls.put(Extension.freshestCRL, new ExtensionControl(false, false, false)); extensionControls.put(Extension.issuerAlternativeName, new ExtensionControl(false, false, false)); extensionControls.put(Extension.subjectKeyIdentifier, new ExtensionControl(false, true, false)); extensionControls.put(Extension.cRLDistributionPoints, new ExtensionControl(false, false, false)); extensionControls.put(Extension.authorityKeyIdentifier, new ExtensionControl(false, true, false)); extensionControls.put(Extension.authorityInfoAccess, new ExtensionControl(false, false, false)); extensionControls.put(Extension.basicConstraints, new ExtensionControl(true, true, false)); extensionControls.put(Extension.keyUsage, new ExtensionControl(true, true, true)); }
From source file:org.xipki.common.util.X509Util.java
License:Open Source License
public static byte[] extractSKI(final X509Certificate cert) throws CertificateEncodingException { byte[] extValue = getCoreExtValue(cert, Extension.subjectKeyIdentifier); if (extValue == null) { return null; }//w w w . j a v a 2 s.c o m try { return ASN1OctetString.getInstance(extValue).getOctets(); } catch (IllegalArgumentException e) { throw new CertificateEncodingException(e.getMessage()); } }
From source file:org.xipki.common.util.X509Util.java
License:Open Source License
public static byte[] extractSKI(final org.bouncycastle.asn1.x509.Certificate cert) throws CertificateEncodingException { Extension encodedSkiValue = cert.getTBSCertificate().getExtensions() .getExtension(Extension.subjectKeyIdentifier); if (encodedSkiValue == null) { return null; }//from ww w .j ava2s. c o m try { return ASN1OctetString.getInstance(encodedSkiValue.getParsedValue()).getOctets(); } catch (IllegalArgumentException e) { throw new CertificateEncodingException("invalid extension SubjectKeyIdentifier: " + e.getMessage()); } }