List of usage examples for org.bouncycastle.asn1.x509 Extensions oids
public Enumeration oids()
From source file:com.guardtime.asn1.Asn1Util.java
License:Apache License
/** * Verifies that the given extensions list does not contain any critical * extensions.//w ww . ja v a 2 s. c o m * * @param exts * the extensions list to check. * @throws Asn1FormatException * if the lists is not properly formatted or contains critical * extensions. */ static void checkExtensions(Extensions exts) throws Asn1FormatException { if (exts == null) { // no extensions, nothing to check return; } Enumeration e = exts.oids(); if (!e.hasMoreElements()) { // empty extensions lists are not allowed per X.509 specifications throw new Asn1FormatException("empty extensions list"); } while (e.hasMoreElements()) { ASN1ObjectIdentifier oid = new ASN1ObjectIdentifier((String) e.nextElement()); Extension ext = exts.getExtension(oid); if (ext == null) { // should never happen, but... throw new Asn1FormatException("empty extension " + oid.getId()); } if (ext.isCritical()) { throw new Asn1FormatException("unknown critical extension " + oid.getId()); } } }
From source file:org.cesecore.certificates.ocsp.OcspResponseGeneratorSessionBean.java
License:Open Source License
private BasicOCSPResp generateBasicOcspResp(Extensions exts, List<OCSPResponseItem> responses, String sigAlg, X509Certificate signerCert, OcspSigningCacheEntry ocspSigningCacheEntry, Date producedAt) throws OCSPException, NoSuchProviderException, CryptoTokenOfflineException { final PrivateKey signerKey = ocspSigningCacheEntry.getPrivateKey(); final String provider = ocspSigningCacheEntry.getSignatureProviderName(); BasicOCSPResp returnval = null;//from w w w . j av a 2 s. c o m BasicOCSPRespBuilder basicRes = new BasicOCSPRespBuilder(ocspSigningCacheEntry.getRespId()); if (responses != null) { for (OCSPResponseItem item : responses) { basicRes.addResponse(item.getCertID(), item.getCertStatus(), item.getThisUpdate(), item.getNextUpdate(), item.getExtensions()); } } if (exts != null) { @SuppressWarnings("rawtypes") Enumeration oids = exts.oids(); if (oids.hasMoreElements()) { basicRes.setResponseExtensions(exts); } } final X509Certificate[] chain = ocspSigningCacheEntry.getResponseCertChain(); if (log.isDebugEnabled()) { log.debug("The response certificate chain contains " + chain.length + " certificates"); } /* * The below code breaks the EJB standard by creating its own thread pool and creating a single thread (of the HsmResponseThread * type). The reason for this is that the HSM may deadlock when requesting an OCSP response, which we need to guard against. Since * there is no way of performing this action within the EJB3.0 standard, we are consciously creating threads here. * * Note that this does in no way break the spirit of the EJB standard, which is to not interrupt EJB's transaction handling by * competing with its own thread pool, since these operations have no database impact. */ final Future<BasicOCSPResp> task = service .submit(new HsmResponseThread(basicRes, sigAlg, signerKey, chain, provider, producedAt)); try { returnval = task.get(HsmResponseThread.HSM_TIMEOUT_SECONDS, TimeUnit.SECONDS); } catch (InterruptedException e) { task.cancel(true); throw new Error("OCSP response retrieval was interrupted while running. This should not happen", e); } catch (ExecutionException e) { task.cancel(true); throw new OcspFailureException("Failure encountered while retrieving OCSP response.", e); } catch (TimeoutException e) { task.cancel(true); throw new CryptoTokenOfflineException("HSM timed out while trying to get OCSP response", e); } if (log.isDebugEnabled()) { log.debug("Signing OCSP response with OCSP signer cert: " + signerCert.getSubjectDN().getName()); } if (!returnval.getResponderId().equals(ocspSigningCacheEntry.getRespId())) { log.error("Response responderId does not match signer certificate responderId!"); throw new OcspFailureException("Response responderId does not match signer certificate responderId!"); } if (!ocspSigningCacheEntry.checkResponseSignatureVerified()) { // We only check the response signature the first time for each OcspSigningCacheEntry to detect a misbehaving HSM. // The client is still responsible for validating the signature, see RFC 6960 Section 3.2.2 boolean verify; try { verify = returnval .isSignatureValid(new JcaContentVerifierProviderBuilder().build(signerCert.getPublicKey())); } catch (OperatorCreationException e) { // Very fatal error throw new EJBException("Can not create Jca content signer: ", e); } if (verify) { if (log.isDebugEnabled()) { log.debug("The OCSP response is verifying."); } } else { log.error("The response is NOT verifying! Attempted to sign using " + CertTools.getSubjectDN(signerCert) + " but signature was not valid."); throw new OcspFailureException("Attempted to sign using " + CertTools.getSubjectDN(signerCert) + " but signature was not valid."); } } return returnval; }
From source file:org.jruby.ext.openssl.OCSPRequest.java
License:Common Public License
private void addNonceImpl() { GeneralName requestorName = null;/*from w w w .ja v a 2s . c o m*/ ASN1Sequence requestList = new DERSequence(); Extensions extensions = null; Signature sig = null; List<Extension> tmpExtensions = new ArrayList<Extension>(); if (asn1bcReq != null) { TBSRequest currentTbsReq = asn1bcReq.getTbsRequest(); extensions = currentTbsReq.getRequestExtensions(); sig = asn1bcReq.getOptionalSignature(); Enumeration<ASN1ObjectIdentifier> oids = extensions.oids(); while (oids.hasMoreElements()) { tmpExtensions.add(extensions.getExtension(oids.nextElement())); } } tmpExtensions.add(new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, nonce)); Extension[] exts = new Extension[tmpExtensions.size()]; Extensions newExtensions = new Extensions(tmpExtensions.toArray(exts)); TBSRequest newTbsReq = new TBSRequest(requestorName, requestList, newExtensions); asn1bcReq = new org.bouncycastle.asn1.ocsp.OCSPRequest(newTbsReq, sig); }
From source file:org.xwiki.crypto.pkix.internal.extension.AbstractBcX509ExtensionBuilder.java
License:Open Source License
@Override public X509ExtensionBuilder addExtensions(X509Extensions extensionSet) throws IOException { if (extensionSet == null) { return this; }/* w w w. ja va 2s . com*/ // Optimisation if (extensionSet instanceof BcX509Extensions) { Extensions exts = ((BcX509Extensions) extensionSet).getExtensions(); @SuppressWarnings("unchecked") Enumeration<ASN1ObjectIdentifier> oids = exts.oids(); while (oids.hasMoreElements()) { ASN1ObjectIdentifier oid = oids.nextElement(); Extension ext = exts.getExtension(oid); this.extensions.addExtension(ext.getExtnId(), ext.isCritical(), ext.getParsedValue()); } } else { // Fallback for (String oid : extensionSet.getExtensionOID()) { this.extensions.addExtension(new ASN1ObjectIdentifier(oid), extensionSet.isCritical(oid), extensionSet.getExtensionValue(oid)); } } return this; }