List of usage examples for org.bouncycastle.asn1.x509 KeyPurposeId id_kp_smartcardlogon
KeyPurposeId id_kp_smartcardlogon
To view the source code for org.bouncycastle.asn1.x509 KeyPurposeId id_kp_smartcardlogon.
Click Source Link
From source file:mitm.common.security.certificate.ExtendedKeyUsageTypeTest.java
License:Open Source License
@Test public void testExtendedKeyUsageType() { assertEquals("clientAuth", ExtendedKeyUsageType.CLIENTAUTH.toString()); assertEquals(ExtendedKeyUsageType.IPSECTUNNEL, ExtendedKeyUsageType.fromOID("1.3.6.1.5.5.7.3.6")); assertEquals(null, ExtendedKeyUsageType.fromOID("xxx")); assertEquals(KeyPurposeId.id_kp_smartcardlogon, ExtendedKeyUsageType.SMARTCARDLOGIN.getKeyPurposeId()); }
From source file:org.apache.kerby.pkix.EndEntityGenerator.java
License:Apache License
/** * Generate certificate.// w ww . ja v a2 s. co m * * @param issuerCert * @param issuerPrivateKey * @param publicKey * @param dn * @param validityDays * @param friendlyName * @return The certificate. * @throws InvalidKeyException * @throws SecurityException * @throws SignatureException * @throws NoSuchAlgorithmException * @throws DataLengthException * @throws CertificateException */ public static X509Certificate generate(X509Certificate issuerCert, PrivateKey issuerPrivateKey, PublicKey publicKey, String dn, int validityDays, String friendlyName) throws InvalidKeyException, SecurityException, SignatureException, NoSuchAlgorithmException, DataLengthException, CertificateException { X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); // Set certificate attributes. certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis())); certGen.setIssuerDN(PrincipalUtil.getSubjectX509Principal(issuerCert)); certGen.setSubjectDN(new X509Principal(dn)); certGen.setNotBefore(new Date()); Calendar expiry = Calendar.getInstance(); expiry.add(Calendar.DAY_OF_YEAR, validityDays); certGen.setNotAfter(expiry.getTime()); certGen.setPublicKey(publicKey); certGen.setSignatureAlgorithm("SHA1WithRSAEncryption"); certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifier(getDigest(SubjectPublicKeyInfo.getInstance(publicKey.getEncoded())))); // MAY set BasicConstraints=false or not at all. certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false)); certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(issuerCert)); certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment)); ASN1EncodableVector keyPurposeVector = new ASN1EncodableVector(); keyPurposeVector.add(KeyPurposeId.id_kp_smartcardlogon); //keyPurposeVector.add( KeyPurposeId.id_kp_serverAuth ); DERSequence keyPurposeOids = new DERSequence(keyPurposeVector); // If critical, will throw unsupported EKU. certGen.addExtension(X509Extensions.ExtendedKeyUsage, false, keyPurposeOids); ASN1EncodableVector pkinitSanVector = new ASN1EncodableVector(); pkinitSanVector.add(ID_PKINIT_SAN); pkinitSanVector.add(new DERTaggedObject(0, new DERSequence())); DERSequence pkinitSan = new DERSequence(pkinitSanVector); String dnsName = "localhost"; GeneralName name1 = new GeneralName(GeneralName.otherName, pkinitSan); GeneralName name2 = new GeneralName(GeneralName.dNSName, dnsName); GeneralNamesBuilder genNamesBuilder = new GeneralNamesBuilder(); genNamesBuilder.addName(name1); genNamesBuilder.addName(name2); GeneralNames sanGeneralNames = genNamesBuilder.build(); certGen.addExtension(X509Extensions.SubjectAlternativeName, true, sanGeneralNames); /* * The KDC MAY require the presence of an Extended Key Usage (EKU) KeyPurposeId * [RFC3280] id-pkinit-KPClientAuth in the extensions field of the client's * X.509 certificate. */ /* * The digitalSignature key usage bit [RFC3280] MUST be asserted when the * intended purpose of the client's X.509 certificate is restricted with * the id-pkinit-KPClientAuth EKU. */ /* * KDCs implementing this requirement SHOULD also accept the EKU KeyPurposeId * id-ms-kp-sc-logon (1.3.6.1.4.1.311.20.2.2) as meeting the requirement, as * there are a large number of X.509 client certificates deployed for use * with PKINIT that have this EKU. */ // KDC /* * In addition, unless the client can otherwise verify that the public key * used to verify the KDC's signature is bound to the KDC of the target realm, * the KDC's X.509 certificate MUST contain a Subject Alternative Name extension * [RFC3280] carrying an AnotherName whose type-id is id-pkinit-san (as defined * in Section 3.2.2) and whose value is a KRB5PrincipalName that matches the * name of the TGS of the target realm (as defined in Section 7.3 of [RFC4120]). */ /* * Unless the client knows by some other means that the KDC certificate is * intended for a Kerberos KDC, the client MUST require that the KDC certificate * contains the EKU KeyPurposeId [RFC3280] id-pkinit-KPKdc. */ /* * The digitalSignature key usage bit [RFC3280] MUST be asserted when the * intended purpose of the KDC's X.509 certificate is restricted with the * id-pkinit-KPKdc EKU. */ /* * If the KDC certificate contains the Kerberos TGS name encoded as an id-pkinit-san * SAN, this certificate is certified by the issuing CA as a KDC certificate, * therefore the id-pkinit-KPKdc EKU is not required. */ /* * KDC certificates issued by Windows 2000 Enterprise CAs contain a dNSName * SAN with the DNS name of the host running the KDC, and the id-kp-serverAuth * EKU [RFC3280]. */ /* * KDC certificates issued by Windows 2003 Enterprise CAs contain a dNSName * SAN with the DNS name of the host running the KDC, the id-kp-serverAuth * EKU, and the id-ms-kp-sc-logon EKU. */ /* * RFC: KDC certificates with id-pkinit-san SAN as specified in this RFC. * * MS: dNSName SAN containing the domain name of the KDC * id-pkinit-KPKdc EKU * id-kp-serverAuth EKU. */ /* * Client certificates accepted by Windows 2000 and Windows 2003 Server KDCs * must contain an id-ms-san-sc-logon-upn (1.3.6.1.4.1.311.20.2.3) SAN and * the id-ms-kp-sc-logon EKU. The id-ms-san-sc-logon-upn SAN contains a * UTF8-encoded string whose value is that of the Directory Service attribute * UserPrincipalName of the client account object, and the purpose of including * the id-ms-san-sc-logon-upn SAN in the client certificate is to validate * the client mapping (in other words, the client's public key is bound to * the account that has this UserPrincipalName value). */ X509Certificate cert = certGen.generate(issuerPrivateKey); PKCS12BagAttributeCarrier bagAttr = (PKCS12BagAttributeCarrier) cert; bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_friendlyName, new DERBMPString(friendlyName)); bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId, new SubjectKeyIdentifier(getDigest(SubjectPublicKeyInfo.getInstance(publicKey.getEncoded())))); return cert; }
From source file:org.cesecore.certificates.certificateprofile.CertificateProfile.java
License:Open Source License
/** * @param type//from ww w .ja v a 2s . c o m * one of CertificateProfileConstants.CERTPROFILE_FIXED_XX, for example CertificateConstants.CERTPROFILE_FIXED_ROOTCA */ private void setDefaultValues(int type) { if (type == CertificateProfileConstants.CERTPROFILE_FIXED_ROOTCA) { setType(CertificateConstants.CERTTYPE_ROOTCA); setAllowValidityOverride(true); setUseKeyUsage(true); setKeyUsage(new boolean[9]); setKeyUsage(CertificateConstants.DIGITALSIGNATURE, true); setKeyUsage(CertificateConstants.KEYCERTSIGN, true); setKeyUsage(CertificateConstants.CRLSIGN, true); setKeyUsageCritical(true); setValidity(25 * 365 + 7); // Default validity for this profile is 25 years including 6 or 7 leap days } else if (type == CertificateProfileConstants.CERTPROFILE_FIXED_SUBCA) { setType(CertificateConstants.CERTTYPE_SUBCA); setAllowValidityOverride(true); setUseKeyUsage(true); setKeyUsage(new boolean[9]); setKeyUsage(CertificateConstants.DIGITALSIGNATURE, true); setKeyUsage(CertificateConstants.KEYCERTSIGN, true); setKeyUsage(CertificateConstants.CRLSIGN, true); setKeyUsageCritical(true); setValidity(25 * 365 + 7); // Default validity for this profile is 25 years including 6 or 7 leap days } else if (type == CertificateProfileConstants.CERTPROFILE_FIXED_ENDUSER) { setType(CertificateConstants.CERTTYPE_ENDENTITY); // Standard key usages for end users are: digitalSignature | nonRepudiation, and/or (keyEncipherment or keyAgreement) // Default key usage is digitalSignature | nonRepudiation | keyEncipherment // Create an array for KeyUsage according to X509Certificate.getKeyUsage() setUseKeyUsage(true); setKeyUsage(new boolean[9]); setKeyUsage(CertificateConstants.DIGITALSIGNATURE, true); setKeyUsage(CertificateConstants.NONREPUDIATION, true); setKeyUsage(CertificateConstants.KEYENCIPHERMENT, true); setKeyUsageCritical(true); setUseExtendedKeyUsage(true); ArrayList<String> eku = new ArrayList<String>(); eku.add(KeyPurposeId.id_kp_clientAuth.getId()); eku.add(KeyPurposeId.id_kp_emailProtection.getId()); setExtendedKeyUsage(eku); setExtendedKeyUsageCritical(false); } else if (type == CertificateProfileConstants.CERTPROFILE_FIXED_OCSPSIGNER) { setType(CertificateConstants.CERTTYPE_ENDENTITY); // Default key usage for an OCSP signer is digitalSignature // Create an array for KeyUsage acoording to X509Certificate.getKeyUsage() setUseKeyUsage(true); setKeyUsage(new boolean[9]); setKeyUsage(CertificateConstants.DIGITALSIGNATURE, true); setKeyUsageCritical(true); setUseExtendedKeyUsage(true); ArrayList<String> eku = new ArrayList<String>(); eku.add(KeyPurposeId.id_kp_OCSPSigning.getId()); setExtendedKeyUsage(eku); setExtendedKeyUsageCritical(false); setUseOcspNoCheck(true); } else if (type == CertificateProfileConstants.CERTPROFILE_FIXED_SERVER) { setType(CertificateConstants.CERTTYPE_ENDENTITY); // Standard key usages for server are: digitalSignature | (keyEncipherment or keyAgreement) // Default key usage is digitalSignature | keyEncipherment // Create an array for KeyUsage acoording to X509Certificate.getKeyUsage() setUseKeyUsage(true); setKeyUsage(new boolean[9]); setKeyUsage(CertificateConstants.DIGITALSIGNATURE, true); setKeyUsage(CertificateConstants.KEYENCIPHERMENT, true); setKeyUsageCritical(true); setUseExtendedKeyUsage(true); ArrayList<String> eku = new ArrayList<String>(); eku.add(KeyPurposeId.id_kp_serverAuth.getId()); setExtendedKeyUsage(eku); setExtendedKeyUsageCritical(false); } else if (type == CertificateProfileConstants.CERTPROFILE_FIXED_HARDTOKENAUTH) { setType(CertificateConstants.CERTTYPE_ENDENTITY); setUseKeyUsage(true); setKeyUsage(new boolean[9]); setKeyUsage(CertificateConstants.DIGITALSIGNATURE, true); setKeyUsageCritical(true); setUseExtendedKeyUsage(true); ArrayList<String> eku = new ArrayList<String>(); eku.add(KeyPurposeId.id_kp_clientAuth.getId()); eku.add(KeyPurposeId.id_kp_smartcardlogon.getId()); setExtendedKeyUsage(eku); setExtendedKeyUsageCritical(false); } else if (type == CertificateProfileConstants.CERTPROFILE_FIXED_HARDTOKENAUTHENC) { setType(CertificateConstants.CERTTYPE_ENDENTITY); setUseKeyUsage(true); setKeyUsage(new boolean[9]); setKeyUsage(CertificateConstants.KEYENCIPHERMENT, true); setKeyUsage(CertificateConstants.DIGITALSIGNATURE, true); setKeyUsageCritical(true); setUseExtendedKeyUsage(true); ArrayList<String> eku = new ArrayList<String>(); eku.add(KeyPurposeId.id_kp_clientAuth.getId()); eku.add(KeyPurposeId.id_kp_emailProtection.getId()); eku.add(KeyPurposeId.id_kp_smartcardlogon.getId()); setExtendedKeyUsage(eku); setExtendedKeyUsageCritical(false); } else if (type == CertificateProfileConstants.CERTPROFILE_FIXED_HARDTOKENENC) { setType(CertificateConstants.CERTTYPE_ENDENTITY); setUseKeyUsage(true); setKeyUsage(new boolean[9]); setKeyUsage(CertificateConstants.KEYENCIPHERMENT, true); setKeyUsageCritical(true); setUseExtendedKeyUsage(true); ArrayList<String> eku = new ArrayList<String>(); eku.add(KeyPurposeId.id_kp_emailProtection.getId()); setExtendedKeyUsage(eku); setExtendedKeyUsageCritical(false); } else if (type == CertificateProfileConstants.CERTPROFILE_FIXED_HARDTOKENSIGN) { setType(CertificateConstants.CERTTYPE_ENDENTITY); setUseKeyUsage(true); setKeyUsage(new boolean[9]); setKeyUsage(CertificateConstants.NONREPUDIATION, true); setKeyUsageCritical(true); setUseExtendedKeyUsage(true); ArrayList<String> eku = new ArrayList<String>(); eku.add(KeyPurposeId.id_kp_emailProtection.getId()); setExtendedKeyUsage(eku); setExtendedKeyUsageCritical(false); } }
From source file:org.cryptacular.util.CertUtilTest.java
License:Open Source License
@DataProvider(name = "extended-usage") public Object[][] getExtendedUsage() throws Exception { return new Object[][] { new Object[] { CertUtil.readCertificate(CRT_PATH + "serac-dev-test.crt"), new KeyPurposeId[] { KeyPurposeId.id_kp_clientAuth, KeyPurposeId.id_kp_emailProtection, KeyPurposeId.id_kp_smartcardlogon, }, }, new Object[] { CertUtil.readCertificate(CRT_PATH + "login.live.com.crt"), new KeyPurposeId[] { KeyPurposeId.id_kp_clientAuth, KeyPurposeId.id_kp_serverAuth, }, }, }; }
From source file:org.cryptacular.x509.ExtensionReaderTest.java
License:Open Source License
@DataProvider(name = "extended-key-usage") public Object[][] getExtendedKeyUsage() { return new Object[][] { new Object[] { CertUtil.readCertificate(CRT_PATH + "serac-dev-test.crt"), new KeyPurposeId[] { KeyPurposeId.id_kp_clientAuth, KeyPurposeId.id_kp_emailProtection, KeyPurposeId.id_kp_smartcardlogon, }, }, new Object[] { CertUtil.readCertificate(CRT_PATH + "login.live.com.crt"), new KeyPurposeId[] { KeyPurposeId.id_kp_serverAuth, KeyPurposeId.id_kp_clientAuth, }, }, }; }
From source file:org.ejbca.core.model.ca.certificateprofiles.HardTokenAuthCertificateProfile.java
License:Open Source License
/** Creates a certificate with the characteristics of an end user. * General options are set in the superclass's default contructor that is called automatically. * You can override the general options by defining them again with different parameters here. *//*from www . j a v a2 s . c o m*/ public HardTokenAuthCertificateProfile() { setType(TYPE_ENDENTITY); setUseKeyUsage(true); setKeyUsage(new boolean[9]); setKeyUsage(DIGITALSIGNATURE, true); setKeyUsageCritical(true); setUseExtendedKeyUsage(true); ArrayList eku = new ArrayList(); eku.add(KeyPurposeId.id_kp_clientAuth.getId()); eku.add(KeyPurposeId.id_kp_smartcardlogon.getId()); setExtendedKeyUsage(eku); setExtendedKeyUsageCritical(false); }
From source file:org.ejbca.core.model.ca.certificateprofiles.HardTokenAuthEncCertificateProfile.java
License:Open Source License
/** Creates a certificate with the characteristics of an end user. * General options are set in the superclass's default contructor that is called automatically. * You can override the general options by defining them again with different parameters here. *//* w w w. j av a 2s .c om*/ public HardTokenAuthEncCertificateProfile() { setType(TYPE_ENDENTITY); setUseKeyUsage(true); setKeyUsage(new boolean[9]); setKeyUsage(KEYENCIPHERMENT, true); setKeyUsage(DIGITALSIGNATURE, true); setKeyUsageCritical(true); setUseExtendedKeyUsage(true); ArrayList eku = new ArrayList(); eku.add(KeyPurposeId.id_kp_clientAuth.getId()); eku.add(KeyPurposeId.id_kp_emailProtection.getId()); eku.add(KeyPurposeId.id_kp_smartcardlogon.getId()); setExtendedKeyUsage(eku); setExtendedKeyUsageCritical(false); }
From source file:org.ejbca.core.protocol.ws.EjbcaWS.java
License:Open Source License
@Override public List<TokenCertificateResponseWS> genTokenCertificates(UserDataVOWS userDataWS, List<TokenCertificateRequestWS> tokenRequests, HardTokenDataWS hardTokenDataWS, boolean overwriteExistingSN, boolean revokePreviousCards) throws CADoesntExistsException, AuthorizationDeniedException, WaitingForApprovalException, HardTokenExistsException, UserDoesntFullfillEndEntityProfile, ApprovalException, EjbcaException, ApprovalRequestExpiredException, ApprovalRequestExecutionException { final ArrayList<TokenCertificateResponseWS> retval = new ArrayList<TokenCertificateResponseWS>(); final EjbcaWSHelper ejbhelper = new EjbcaWSHelper(wsContext, authorizationSession, caAdminSession, caSession, certificateProfileSession, certificateStoreSession, endEntityAccessSession, endEntityProfileSession, hardTokenSession, endEntityManagementSession, webAuthenticationSession, cryptoTokenManagementSession); AuthenticationToken admin = ejbhelper.getAdmin(true); int endEntityProfileId = 0; boolean hardTokenExists = false; boolean userExists = false; boolean approvalSuccessfullStep1 = false; boolean isRejectedStep1 = false; // Get Significant user Id final CAInfo significantcAInfo; final ArrayList<java.security.cert.Certificate> genCertificates = new ArrayList<java.security.cert.Certificate>(); final IPatternLogger logger = TransactionLogger.getPatternLogger(); logAdminName(admin, logger);// ww w.j a va 2 s . c o m final AuthenticationToken intAdmin = new AlwaysAllowLocalAuthenticationToken( new UsernamePrincipal("EJBCAWS.genTokenCertificates")); try { significantcAInfo = caSession.getCAInfo(intAdmin, userDataWS.getCaName()); if (significantcAInfo == null) { throw EjbcaWSHelper.getEjbcaException( "Error the given CA : " + userDataWS.getCaName() + " could not be found.", logger, ErrorCode.CA_NOT_EXISTS, null); } EndEntityInformation endEntityInformation = endEntityAccessSession.findUser(intAdmin, userDataWS.getUsername()); if (endEntityInformation != null) { endEntityProfileId = endEntityInformation.getEndEntityProfileId(); userExists = true; } else { try { endEntityProfileId = endEntityProfileSession .getEndEntityProfileId(userDataWS.getEndEntityProfileName()); } catch (EndEntityProfileNotFoundException e) { throw EjbcaWSHelper.getEjbcaException("Error given end entity profile : " + userDataWS.getEndEntityProfileName() + " could not be found", logger, ErrorCode.EE_PROFILE_NOT_EXISTS, null); } } // Approval request if we require approvals to generate token certificates ApprovalRequest ar = null; if (ejbhelper.isAdmin()) { final List<String> rules = new ArrayList<String>(); rules.add(StandardRules.CREATECERT.resource()); rules.add(AccessRulesConstants.HARDTOKEN_ISSUEHARDTOKENS); rules.add(StandardRules.CAACCESS.resource() + significantcAInfo.getCAId()); if (overwriteExistingSN) { rules.add(AccessRulesConstants.REGULAR_REVOKEENDENTITY); rules.add(AccessRulesConstants.ENDENTITYPROFILEPREFIX + endEntityProfileId + AccessRulesConstants.REVOKE_END_ENTITY); } if (userExists) { rules.add(AccessRulesConstants.REGULAR_EDITENDENTITY); rules.add(AccessRulesConstants.ENDENTITYPROFILEPREFIX + endEntityProfileId + AccessRulesConstants.EDIT_END_ENTITY); } else { rules.add(AccessRulesConstants.REGULAR_CREATEENDENTITY); rules.add(AccessRulesConstants.ENDENTITYPROFILEPREFIX + endEntityProfileId + AccessRulesConstants.CREATE_END_ENTITY); } String[] rulesArray = rules.toArray(new String[rules.size()]); if (!authorizationSession.isAuthorizedNoLogging(admin, rulesArray)) { final String msg = intres.getLocalizedMessage("authorization.notuathorizedtoresource", Arrays.toString(rulesArray), null); throw new AuthorizationDeniedException(msg); } } else { if (WebServiceConfiguration.getApprovalForGenTokenCertificates()) { ar = new GenerateTokenApprovalRequest(userDataWS.getUsername(), userDataWS.getSubjectDN(), hardTokenDataWS.getLabel(), admin, null, WebServiceConfiguration.getNumberOfRequiredApprovals(), significantcAInfo.getCAId(), endEntityProfileId); int status = ApprovalDataVO.STATUS_REJECTED; try { status = approvalSession.isApproved(admin, ar.generateApprovalId(), 1); approvalSuccessfullStep1 = (status == ApprovalDataVO.STATUS_APPROVED); isRejectedStep1 = (status == ApprovalDataVO.STATUS_REJECTED); if (status == ApprovalDataVO.STATUS_APPROVED) { ApprovalDataVO approvalDataVO = approvalSession.findNonExpiredApprovalRequest(intAdmin, ar.generateApprovalId()); String originalDN = ((GenerateTokenApprovalRequest) approvalDataVO.getApprovalRequest()) .getDN(); userDataWS.setSubjectDN(originalDN); // replace requested DN with original DN to make sure nothing have changed. } else if (status == ApprovalDataVO.STATUS_REJECTED) { throw new ApprovalRequestExecutionException( "The approval for id " + ar.generateApprovalId() + " has been rejected."); } else if (status == ApprovalDataVO.STATUS_EXPIREDANDNOTIFIED || status == ApprovalDataVO.STATUS_EXPIRED) { throw new ApprovalException( "The approval for id " + ar.generateApprovalId() + " has expired."); } else { throw new WaitingForApprovalException("The approval for id " + ar.generateApprovalId() + " have not yet been approved", ar.generateApprovalId()); } } catch (ApprovalException e) { approvalSession.addApprovalRequest(admin, ar); throw new WaitingForApprovalException("Approval request with id " + ar.generateApprovalId() + " have been added for approval.", ar.generateApprovalId()); } } else { throw new AuthorizationDeniedException(); } } if (ar != null && isRejectedStep1) { throw new ApprovalRequestExecutionException( "The approval for id " + ar.generateApprovalId() + " has been rejected."); } if (ar != null && !approvalSuccessfullStep1) { throw new WaitingForApprovalException( "The approval for id " + ar.generateApprovalId() + " has not yet been approved", ar.generateApprovalId()); } if (ar != null) { // We need to create a new AuthenticationToken here that has the "name" of the admin making the request, but that // behaves like an "AlwaysAllowedAuthenticationToken". This is because the request admin does not have privileges, // but we want to log as if the requesting admin performed actions below. final Set<? extends Principal> principals = admin.getPrincipals(); Principal p = null; if (!principals.isEmpty()) { p = principals.iterator().next(); } else { final Set<?> credentials = admin.getCredentials(); if (!credentials.isEmpty()) { final Object o = credentials.iterator().next(); if (o instanceof X509Certificate) { final X509Certificate cert = (X509Certificate) o; p = new X500Principal(cert.getSubjectDN().getName()); } } else { log.error("Admin does not have neither Principals nor Credentials"); } } admin = new AlwaysAllowLocalAuthenticationToken(p); } hardTokenExists = hardTokenSession.existsHardToken(hardTokenDataWS.getHardTokenSN()); if (hardTokenExists) { if (overwriteExistingSN) { // fetch all old certificates and revoke them. Collection<java.security.cert.Certificate> currentCertificates = hardTokenSession .findCertificatesInHardToken(hardTokenDataWS.getHardTokenSN()); HardTokenInformation currentHardToken = hardTokenSession.getHardToken(admin, hardTokenDataWS.getHardTokenSN(), false); Iterator<java.security.cert.Certificate> iter = currentCertificates.iterator(); while (iter.hasNext()) { java.security.cert.X509Certificate nextCert = (java.security.cert.X509Certificate) iter .next(); try { endEntityManagementSession.revokeCert(admin, CertTools.getSerialNumber(nextCert), CertTools.getIssuerDN(nextCert), RevokedCertInfo.REVOCATION_REASON_SUPERSEDED); } catch (AlreadyRevokedException e) { // Ignore previously revoked certificates } catch (FinderException e) { throw EjbcaWSHelper.getEjbcaException( "Error revoking old certificate, the user : " + currentHardToken.getUsername() + " of the old certificate couldn't be found in database.", logger, ErrorCode.USER_NOT_FOUND, null); } } } else { throw new HardTokenExistsException( "Error hard token with sn " + hardTokenDataWS.getHardTokenSN() + " already exists."); } } if (revokePreviousCards) { List<HardTokenDataWS> htd = getHardTokenDatas(admin, userDataWS.getUsername(), false, true, logger); Iterator<HardTokenDataWS> htdIter = htd.iterator(); while (htdIter.hasNext()) { HardTokenDataWS toRevoke = htdIter.next(); try { if (hardTokenDataWS.getLabel().equals(HardTokenConstants.LABEL_TEMPORARYCARD) && toRevoke.getLabel() != null && !toRevoke.getLabel().equals(HardTokenConstants.LABEL_TEMPORARYCARD)) { // Token have extended key usage MS Logon, don't revoke it Iterator<java.security.cert.Certificate> revokeCerts = hardTokenSession .findCertificatesInHardToken(toRevoke.getHardTokenSN()).iterator(); while (revokeCerts.hasNext()) { X509Certificate next = (X509Certificate) revokeCerts.next(); try { if (WebServiceConfiguration.getSuspendAllCertificates() || next.getExtendedKeyUsage() == null || !next.getExtendedKeyUsage() .contains(KeyPurposeId.id_kp_smartcardlogon.getId())) { endEntityManagementSession.revokeCert(admin, next.getSerialNumber(), CertTools.getIssuerDN(next), RevokedCertInfo.REVOCATION_REASON_CERTIFICATEHOLD); } } catch (CertificateParsingException e) { log.error(e); } catch (FinderException e) { log.error(e); } } } else { revokeToken(admin, toRevoke.getHardTokenSN(), RevokedCertInfo.REVOCATION_REASON_UNSPECIFIED, logger); } } catch (AlreadyRevokedException e) { // Do nothing } } } try { // Check if the userdata exist and edit/add it depending on which String password = PasswordGeneratorFactory .getInstance(PasswordGeneratorFactory.PASSWORDTYPE_ALLPRINTABLE).getNewPassword(8, 8); EndEntityInformation userData = ejbhelper.convertUserDataVOWS(admin, userDataWS); userData.setPassword(password); if (userExists) { endEntityManagementSession.changeUser(admin, userData, true); } else { endEntityManagementSession.addUser(admin, userData, true); } Date bDate = new Date(System.currentTimeMillis() - (10 * 60 * 1000)); Iterator<TokenCertificateRequestWS> iter = tokenRequests.iterator(); while (iter.hasNext()) { TokenCertificateRequestWS next = iter.next(); int certificateProfileId = certificateProfileSession .getCertificateProfileId(next.getCertificateProfileName()); if (certificateProfileId == 0) { EjbcaWSHelper .getEjbcaException( "Error the given Certificate Profile : " + next.getCertificateProfileName() + " couldn't be found.", logger, ErrorCode.CERT_PROFILE_NOT_EXISTS, null); } Date eDate = null; if (next.getValidityIdDays() != null) { try { long validity = Long.parseLong(next.getValidityIdDays()); eDate = new Date(System.currentTimeMillis() + (validity * 3600 * 24 * 1000)); } catch (NumberFormatException e) { EjbcaWSHelper.getEjbcaException("Error : Validity in Days must be a number", logger, ErrorCode.BAD_VALIDITY_FORMAT, null); } } CAInfo cAInfo = caSession.getCAInfo(admin, next.getCAName()); if (cAInfo == null) { throw EjbcaWSHelper.getEjbcaException( "Error the given CA : " + next.getCAName() + " couldn't be found.", logger, ErrorCode.CA_NOT_EXISTS, null); } if (!authorizationSession.isAuthorizedNoLogging(admin, StandardRules.CAACCESS.resource() + cAInfo.getCAId())) { final String msg = intres.getLocalizedMessage("authorization.notuathorizedtoresource", StandardRules.CAACCESS.resource() + cAInfo.getCAId(), null); throw new AuthorizationDeniedException(msg); } if (next.getType() == HardTokenConstants.REQUESTTYPE_PKCS10_REQUEST) { userData.setCertificateProfileId(certificateProfileId); userData.setCAId(cAInfo.getCAId()); userData.setPassword(password); userData.setStatus(EndEntityConstants.STATUS_NEW); endEntityManagementSession.changeUser(admin, userData, false); PKCS10RequestMessage pkcs10req = new PKCS10RequestMessage(next.getPkcs10Data()); java.security.cert.Certificate cert; if (eDate == null) { cert = signSession.createCertificate(admin, userData.getUsername(), password, pkcs10req.getRequestPublicKey()); } else { cert = signSession.createCertificate(admin, userData.getUsername(), password, pkcs10req.getRequestPublicKey(), -1, bDate, eDate); } genCertificates.add(cert); retval.add(new TokenCertificateResponseWS(new Certificate(cert))); } else if (next.getType() == HardTokenConstants.REQUESTTYPE_KEYSTORE_REQUEST) { if (!next.getTokenType().equals(HardTokenConstants.TOKENTYPE_PKCS12)) { throw EjbcaWSHelper.getEjbcaException( "Unsupported Key Store Type : " + next.getTokenType() + " only " + HardTokenConstants.TOKENTYPE_PKCS12 + " is supported", logger, ErrorCode.NOT_SUPPORTED_KEY_STORE, null); } KeyPair keys = KeyTools.genKeys(next.getKeyspec(), next.getKeyalg()); userData.setCertificateProfileId(certificateProfileId); userData.setCAId(cAInfo.getCAId()); userData.setPassword(password); userData.setStatus(EndEntityConstants.STATUS_NEW); endEntityManagementSession.changeUser(admin, userData, true); X509Certificate cert; if (eDate == null) { cert = (X509Certificate) signSession.createCertificate(admin, userData.getUsername(), password, keys.getPublic()); } else { cert = (X509Certificate) signSession.createCertificate(admin, userData.getUsername(), password, keys.getPublic(), -1, bDate, eDate); } genCertificates.add(cert); // Generate Keystore // Fetch CA Cert Chain. Collection<java.security.cert.Certificate> chain = caSession .getCAInfo(admin, cAInfo.getCAId()).getCertificateChain(); String alias = CertTools.getPartFromDN(CertTools.getSubjectDN(cert), "CN"); if (alias == null) { alias = userData.getUsername(); } java.security.KeyStore pkcs12 = KeyTools.createP12(alias, keys.getPrivate(), cert, chain); retval.add(new TokenCertificateResponseWS(new KeyStore(pkcs12, userDataWS.getPassword()))); } else { throw EjbcaWSHelper.getEjbcaException( "Error in request, only REQUESTTYPE_PKCS10_REQUEST and REQUESTTYPE_KEYSTORE_REQUEST are supported token requests.", logger, ErrorCode.NOT_SUPPORTED_REQUEST_TYPE, null); } } } catch (Exception e) { throw EjbcaWSHelper.getInternalException(e, logger); } finally { endEntityManagementSession.setUserStatus(admin, userDataWS.getUsername(), EndEntityConstants.STATUS_GENERATED); } // Add hard token data HardToken hardToken; String signatureInitialPIN = ""; String signaturePUK = ""; String basicInitialPIN = ""; String basicPUK = ""; Iterator<PinDataWS> iter = hardTokenDataWS.getPinDatas().iterator(); while (iter.hasNext()) { PinDataWS pinData = iter.next(); switch (pinData.getType()) { case HardTokenConstants.PINTYPE_BASIC: basicInitialPIN = pinData.getInitialPIN(); basicPUK = pinData.getPUK(); break; case HardTokenConstants.PINTYPE_SIGNATURE: signatureInitialPIN = pinData.getInitialPIN(); signaturePUK = pinData.getPUK(); break; default: throw EjbcaWSHelper.getEjbcaException("Unsupported PIN Type " + pinData.getType(), logger, ErrorCode.NOT_SUPPORTED_PIN_TYPE, null); } } int tokenType = SwedishEIDHardToken.THIS_TOKENTYPE; switch (hardTokenDataWS.getTokenType()) { case HardTokenConstants.TOKENTYPE_SWEDISHEID: hardToken = new SwedishEIDHardToken(basicInitialPIN, basicPUK, signatureInitialPIN, signaturePUK, 0); break; case HardTokenConstants.TOKENTYPE_ENHANCEDEID: hardToken = new EnhancedEIDHardToken(signatureInitialPIN, signaturePUK, basicInitialPIN, basicPUK, false, 0); tokenType = EnhancedEIDHardToken.THIS_TOKENTYPE; break; default: throw EjbcaWSHelper.getEjbcaException("Unsupported Token Type : " + hardTokenDataWS.getTokenType(), logger, ErrorCode.NOT_SUPPORTED_TOKEN_TYPE, null); } hardToken.setLabel(hardTokenDataWS.getLabel()); if (overwriteExistingSN) { if (hardTokenExists) { try { hardTokenSession.removeHardToken(admin, hardTokenDataWS.getHardTokenSN()); } catch (HardTokenDoesntExistsException e) { throw EjbcaWSHelper.getEjbcaException(e, logger, ErrorCode.HARD_TOKEN_NOT_EXISTS, Level.ERROR); } } } hardTokenSession.addHardToken(admin, hardTokenDataWS.getHardTokenSN(), userDataWS.getUsername(), significantcAInfo.getSubjectDN(), tokenType, hardToken, genCertificates, hardTokenDataWS.getCopyOfSN()); if (ar != null) { approvalSession.markAsStepDone(admin, ar.generateApprovalId(), GenerateTokenApprovalRequest.STEP_1_GENERATETOKEN); } } catch (FinderException e) { throw EjbcaWSHelper.getInternalException(e, logger); } catch (RuntimeException e) { // EJBException, ClassCastException, ... throw EjbcaWSHelper.getInternalException(e, logger); } finally { logger.writeln(); logger.flush(); } return retval; }
From source file:org.glite.slcs.pki.CertificateExtensionFactory.java
License:eu-egee.org license
/** * Creates a CertificateExtension. The id can be the OID or the name as * defined below. The values is a comma separated list of value(s) * <p>/*w w w. j av a2 s .c o m*/ * Valid names and values: * <ul> * <li>KeyUsage * <ul> * <li>DigitalSignature * <li>NonRepudiation * <li>KeyEncipherment * <li>DataEncipherment * <li>KeyAgreement * <li>KeyCertSign * <li>CRLSign * <li>EncipherOnly * <li>DecipherOnly * </ul> * <li>ExtendedKeyUsage * <ul> * <li>AnyExtendedKeyUsage * <li>ServerAuth * <li>ClientAuth * <li>CodeSigning * <li>EmailProtection * <li>IPSecEndSystem * <li>IPSecTunnel * <li>IPSecUser * <li>OCSPSigning * <li>Smartcardlogon * </ul> * <li>CertificatePolicies * <ul> * <li>The policy OID(s) * </ul> * <li>SubjectAltName * <ul> * <li>email:EMAIL_ADDRESS * <li>dns:HOSTNAME * </ul> * </ul> * <p> * Example: * <pre> * CertificateExtension keyUsageExtension = * CertificateExtensionFactory.createCertificateExtension("KeyUsage", "DigitalSignature,KeyEncipherment"); * CertificateExtension subjectAltNameExtension = * CertificateExtensionFactory.createCertificateExtension("SubjectAltName", "email:john.doe@example.com,dns:www.exmaple.com"); * </pre> * * @param id * The name or the OID of the extension. * @param values * A comma separated list of extension value(s). * @return The corresponding CertificateExtension or <code>null</code> if * the id (name or oid) is not supported. */ static public CertificateExtension createCertificateExtension(String id, String values) { if (LOG.isDebugEnabled()) { LOG.debug("id:" + id + " value(s):" + values); } if (id.equals(X509Extensions.KeyUsage.getId()) || id.equalsIgnoreCase("KeyUsage")) { // parse the comma separated list of key usage int usage = 0; StringTokenizer st = new StringTokenizer(values, ","); while (st.hasMoreElements()) { String keyUsage = (String) st.nextElement(); keyUsage = keyUsage.trim(); if (keyUsage.equalsIgnoreCase("DigitalSignature")) { usage += KeyUsage.digitalSignature; } else if (keyUsage.equalsIgnoreCase("NonRepudiation")) { usage += KeyUsage.nonRepudiation; } else if (keyUsage.equalsIgnoreCase("KeyEncipherment")) { usage += KeyUsage.keyEncipherment; } else if (keyUsage.equalsIgnoreCase("DataEncipherment")) { usage += KeyUsage.dataEncipherment; } else if (keyUsage.equalsIgnoreCase("KeyAgreement")) { usage += KeyUsage.keyAgreement; } else if (keyUsage.equalsIgnoreCase("KeyCertSign")) { usage += KeyUsage.keyCertSign; } else if (keyUsage.equalsIgnoreCase("CRLSign")) { usage += KeyUsage.cRLSign; } else if (keyUsage.equalsIgnoreCase("EncipherOnly")) { usage += KeyUsage.encipherOnly; } else if (keyUsage.equalsIgnoreCase("DecipherOnly")) { usage += KeyUsage.decipherOnly; } else { LOG.error("Unknown KeyUsage: " + keyUsage); } } return createKeyUsageExtension(usage, values); } else if (id.equals(X509Extensions.ExtendedKeyUsage.getId()) || id.equalsIgnoreCase("ExtendedKeyUsage")) { // value is a comma separated list of keyPurpose Vector keyPurposeIds = new Vector(); StringTokenizer st = new StringTokenizer(values, ","); while (st.hasMoreElements()) { String keyPurpose = (String) st.nextElement(); keyPurpose = keyPurpose.trim(); if (keyPurpose.equalsIgnoreCase("AnyExtendedKeyUsage")) { keyPurposeIds.add(KeyPurposeId.anyExtendedKeyUsage); } else if (keyPurpose.equalsIgnoreCase("ServerAuth")) { keyPurposeIds.add(KeyPurposeId.id_kp_serverAuth); } else if (keyPurpose.equalsIgnoreCase("ClientAuth")) { keyPurposeIds.add(KeyPurposeId.id_kp_clientAuth); } else if (keyPurpose.equalsIgnoreCase("CodeSigning")) { keyPurposeIds.add(KeyPurposeId.id_kp_codeSigning); } else if (keyPurpose.equalsIgnoreCase("EmailProtection")) { keyPurposeIds.add(KeyPurposeId.id_kp_emailProtection); } else if (keyPurpose.equalsIgnoreCase("IPSecEndSystem")) { keyPurposeIds.add(KeyPurposeId.id_kp_ipsecEndSystem); } else if (keyPurpose.equalsIgnoreCase("IPSecTunnel")) { keyPurposeIds.add(KeyPurposeId.id_kp_ipsecTunnel); } else if (keyPurpose.equalsIgnoreCase("IPSecUser")) { keyPurposeIds.add(KeyPurposeId.id_kp_ipsecUser); } else if (keyPurpose.equalsIgnoreCase("TimeStamping")) { keyPurposeIds.add(KeyPurposeId.id_kp_timeStamping); } else if (keyPurpose.equalsIgnoreCase("OCSPSigning")) { keyPurposeIds.add(KeyPurposeId.id_kp_OCSPSigning); } else if (keyPurpose.equalsIgnoreCase("Smartcardlogon")) { keyPurposeIds.add(KeyPurposeId.id_kp_smartcardlogon); } else { LOG.error("Unknown ExtendedKeyUsage: " + keyPurpose); } } return createExtendedKeyUsageExtension(keyPurposeIds, values); } else if (id.equals(X509Extensions.CertificatePolicies.getId()) || id.equalsIgnoreCase("CertificatePolicies")) { // values is a comma separated list of policyOIDs Vector policyOIDs = new Vector(); StringTokenizer st = new StringTokenizer(values, ","); while (st.hasMoreElements()) { String policyOID = (String) st.nextElement(); policyOID = policyOID.trim(); policyOIDs.add(policyOID); } return createCertificatePoliciesExtension(policyOIDs, values); } else if (id.equals(X509Extensions.SubjectAlternativeName.getId()) || id.equalsIgnoreCase("SubjectAltName")) { // values is a comma separated list of altername names prefixed with // the type (email: or dns:) Vector typedSubjectAltNames = new Vector(); StringTokenizer st = new StringTokenizer(values, ","); while (st.hasMoreElements()) { String typedAltName = (String) st.nextElement(); typedAltName = typedAltName.trim(); typedSubjectAltNames.add(typedAltName); } return createSubjectAltNameExtension(typedSubjectAltNames, values); } LOG.error("Unsupported CertificateExtension: " + id); return null; }
From source file:org.mailster.gui.dialogs.CertificateDialog.java
License:Open Source License
private void generateExtensionNode(TreeItem parent, X509Certificate cert, X509Extensions extensions, String oid) {//from ww w.j av a 2 s .co m DERObjectIdentifier derOID = new DERObjectIdentifier(oid); X509Extension ext = extensions.getExtension(derOID); if (ext.getValue() == null) return; byte[] octs = ext.getValue().getOctets(); ASN1InputStream dIn = new ASN1InputStream(octs); StringBuilder buf = new StringBuilder(); try { if (ext.isCritical()) buf.append(Messages.getString("MailsterSWT.dialog.certificate.criticalExt")); //$NON-NLS-1$ else buf.append(Messages.getString("MailsterSWT.dialog.certificate.nonCriticalExt")); //$NON-NLS-1$ if (derOID.equals(X509Extensions.BasicConstraints)) { BasicConstraints bc = new BasicConstraints((ASN1Sequence) dIn.readObject()); if (bc.isCA()) buf.append(Messages.getString("MailsterSWT.dialog.certificate.BasicConstraints.isCA")); //$NON-NLS-1$ else buf.append(Messages.getString("MailsterSWT.dialog.certificate.BasicConstraints.notCA")); //$NON-NLS-1$ buf.append(Messages.getString("MailsterSWT.dialog.certificate.BasicConstraints.maxIntermediateCA")); //$NON-NLS-1$ if (bc.getPathLenConstraint() == null || bc.getPathLenConstraint().intValue() == Integer.MAX_VALUE) buf.append(Messages.getString("MailsterSWT.dialog.certificate.BasicConstraints.unlimited")); //$NON-NLS-1$ else buf.append(bc.getPathLenConstraint()).append('\n'); generateNode(parent, Messages.getString(oid), buf); } else if (derOID.equals(X509Extensions.KeyUsage)) { KeyUsage us = new KeyUsage((DERBitString) dIn.readObject()); if ((us.intValue() & KeyUsage.digitalSignature) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.KeyUsage.digitalSignature")); //$NON-NLS-1$ if ((us.intValue() & KeyUsage.nonRepudiation) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.KeyUsage.nonRepudiation")); //$NON-NLS-1$ if ((us.intValue() & KeyUsage.keyEncipherment) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.KeyUsage.keyEncipherment")); //$NON-NLS-1$ if ((us.intValue() & KeyUsage.dataEncipherment) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.KeyUsage.dataEncipherment")); //$NON-NLS-1$ if ((us.intValue() & KeyUsage.keyAgreement) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.KeyUsage.keyAgreement")); //$NON-NLS-1$ if ((us.intValue() & KeyUsage.keyCertSign) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.KeyUsage.keyCertSign")); //$NON-NLS-1$ if ((us.intValue() & KeyUsage.cRLSign) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.KeyUsage.cRLSign")); //$NON-NLS-1$ if ((us.intValue() & KeyUsage.encipherOnly) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.KeyUsage.encipherOnly")); //$NON-NLS-1$ if ((us.intValue() & KeyUsage.decipherOnly) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.KeyUsage.decipherOnly")); //$NON-NLS-1$ generateNode(parent, Messages.getString(oid), buf); } else if (derOID.equals(X509Extensions.SubjectKeyIdentifier)) { SubjectKeyIdentifier id = new SubjectKeyIdentifier((DEROctetString) dIn.readObject()); generateNode(parent, Messages.getString(oid), buf.toString() + CertificateUtilities.byteArrayToString(id.getKeyIdentifier())); } else if (derOID.equals(X509Extensions.AuthorityKeyIdentifier)) { AuthorityKeyIdentifier id = new AuthorityKeyIdentifier((ASN1Sequence) dIn.readObject()); generateNode(parent, Messages.getString(oid), buf.toString() + id.getAuthorityCertSerialNumber()); } else if (derOID.equals(MiscObjectIdentifiers.netscapeRevocationURL)) { buf.append(new NetscapeRevocationURL((DERIA5String) dIn.readObject())).append("\n"); generateNode(parent, Messages.getString(oid), buf.toString()); } else if (derOID.equals(MiscObjectIdentifiers.verisignCzagExtension)) { buf.append(new VerisignCzagExtension((DERIA5String) dIn.readObject())).append("\n"); generateNode(parent, Messages.getString(oid), buf.toString()); } else if (derOID.equals(X509Extensions.CRLNumber)) { buf.append((DERInteger) dIn.readObject()).append("\n"); generateNode(parent, Messages.getString(oid), buf.toString()); } else if (derOID.equals(X509Extensions.ReasonCode)) { ReasonFlags rf = new ReasonFlags((DERBitString) dIn.readObject()); if ((rf.intValue() & ReasonFlags.unused) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.ReasonCode.unused")); //$NON-NLS-1$ if ((rf.intValue() & ReasonFlags.keyCompromise) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.ReasonCode.keyCompromise")); //$NON-NLS-1$ if ((rf.intValue() & ReasonFlags.cACompromise) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.ReasonCode.cACompromise")); //$NON-NLS-1$ if ((rf.intValue() & ReasonFlags.affiliationChanged) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.ReasonCode.affiliationChanged")); //$NON-NLS-1$ if ((rf.intValue() & ReasonFlags.superseded) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.ReasonCode.superseded")); //$NON-NLS-1$ if ((rf.intValue() & ReasonFlags.cessationOfOperation) > 0) buf.append( Messages.getString("MailsterSWT.dialog.certificate.ReasonCode.cessationOfOperation")); //$NON-NLS-1$ if ((rf.intValue() & ReasonFlags.certificateHold) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.ReasonCode.certificateHold")); //$NON-NLS-1$ if ((rf.intValue() & ReasonFlags.privilegeWithdrawn) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.ReasonCode.privilegeWithdrawn")); //$NON-NLS-1$ if ((rf.intValue() & ReasonFlags.aACompromise) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.ReasonCode.aACompromise")); //$NON-NLS-1$ generateNode(parent, Messages.getString(oid), buf.toString()); } else if (derOID.equals(MiscObjectIdentifiers.netscapeCertType)) { NetscapeCertType type = new NetscapeCertType((DERBitString) dIn.readObject()); if ((type.intValue() & NetscapeCertType.sslClient) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.NetscapeCertType.sslClient")); //$NON-NLS-1$ if ((type.intValue() & NetscapeCertType.sslServer) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.NetscapeCertType.sslServer")); //$NON-NLS-1$ if ((type.intValue() & NetscapeCertType.smime) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.NetscapeCertType.smime")); //$NON-NLS-1$ if ((type.intValue() & NetscapeCertType.objectSigning) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.NetscapeCertType.objectSigning")); //$NON-NLS-1$ if ((type.intValue() & NetscapeCertType.reserved) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.NetscapeCertType.reserved")); //$NON-NLS-1$ if ((type.intValue() & NetscapeCertType.sslCA) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.NetscapeCertType.sslCA")); //$NON-NLS-1$ if ((type.intValue() & NetscapeCertType.smimeCA) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.NetscapeCertType.smimeCA")); //$NON-NLS-1$ if ((type.intValue() & NetscapeCertType.objectSigningCA) > 0) buf.append( Messages.getString("MailsterSWT.dialog.certificate.NetscapeCertType.objectSigningCA")); //$NON-NLS-1$ generateNode(parent, Messages.getString(oid), buf.toString()); } else if (derOID.equals(X509Extensions.ExtendedKeyUsage)) { ExtendedKeyUsage eku = new ExtendedKeyUsage((ASN1Sequence) dIn.readObject()); if (eku.hasKeyPurposeId(KeyPurposeId.anyExtendedKeyUsage)) buf.append(Messages .getString("MailsterSWT.dialog.certificate.ExtendedKeyUsage.anyExtendedKeyUsage")); //$NON-NLS-1$ if (eku.hasKeyPurposeId(KeyPurposeId.id_kp_clientAuth)) buf.append( Messages.getString("MailsterSWT.dialog.certificate.ExtendedKeyUsage.id_kp_clientAuth")); //$NON-NLS-1$ if (eku.hasKeyPurposeId(KeyPurposeId.id_kp_codeSigning)) buf.append(Messages .getString("MailsterSWT.dialog.certificate.ExtendedKeyUsage.id_kp_codeSigning")); //$NON-NLS-1$ if (eku.hasKeyPurposeId(KeyPurposeId.id_kp_emailProtection)) buf.append(Messages .getString("MailsterSWT.dialog.certificate.ExtendedKeyUsage.id_kp_emailProtection")); //$NON-NLS-1$ if (eku.hasKeyPurposeId(KeyPurposeId.id_kp_ipsecEndSystem)) buf.append(Messages .getString("MailsterSWT.dialog.certificate.ExtendedKeyUsage.id_kp_ipsecEndSystem")); //$NON-NLS-1$ if (eku.hasKeyPurposeId(KeyPurposeId.id_kp_ipsecTunnel)) buf.append(Messages .getString("MailsterSWT.dialog.certificate.ExtendedKeyUsage.id_kp_ipsecTunnel")); //$NON-NLS-1$ if (eku.hasKeyPurposeId(KeyPurposeId.id_kp_ipsecUser)) buf.append( Messages.getString("MailsterSWT.dialog.certificate.ExtendedKeyUsage.id_kp_ipsecUser")); //$NON-NLS-1$ if (eku.hasKeyPurposeId(KeyPurposeId.id_kp_OCSPSigning)) buf.append(Messages .getString("MailsterSWT.dialog.certificate.ExtendedKeyUsage.id_kp_OCSPSigning")); //$NON-NLS-1$ if (eku.hasKeyPurposeId(KeyPurposeId.id_kp_serverAuth)) buf.append( Messages.getString("MailsterSWT.dialog.certificate.ExtendedKeyUsage.id_kp_serverAuth")); //$NON-NLS-1$ if (eku.hasKeyPurposeId(KeyPurposeId.id_kp_smartcardlogon)) buf.append(Messages .getString("MailsterSWT.dialog.certificate.ExtendedKeyUsage.id_kp_smartcardlogon")); //$NON-NLS-1$ if (eku.hasKeyPurposeId(KeyPurposeId.id_kp_timeStamping)) buf.append(Messages .getString("MailsterSWT.dialog.certificate.ExtendedKeyUsage.id_kp_timeStamping")); //$NON-NLS-1$ generateNode(parent, Messages.getString(oid), buf.toString()); } else generateNode(parent, MessageFormat.format(Messages.getString("MailsterSWT.dialog.certificate.objectIdentifier"), //$NON-NLS-1$ new Object[] { oid.replace('.', ' ') }), CertificateUtilities.byteArrayToString((cert.getExtensionValue(oid)))); } catch (Exception ex) { ex.printStackTrace(); } }