List of usage examples for org.bouncycastle.asn1.x509 KeyPurposeId id_kp_timeStamping
KeyPurposeId id_kp_timeStamping
To view the source code for org.bouncycastle.asn1.x509 KeyPurposeId id_kp_timeStamping.
Click Source Link
From source file:be.fedict.trust.test.PKITestUtils.java
License:Open Source License
public static X509Certificate generateCertificate(PublicKey subjectPublicKey, String subjectDn, DateTime notBefore, DateTime notAfter, X509Certificate issuerCertificate, PrivateKey issuerPrivateKey, boolean caFlag, int pathLength, String crlUri, String ocspUri, KeyUsage keyUsage, String signatureAlgorithm, boolean tsa, boolean includeSKID, boolean includeAKID, PublicKey akidPublicKey, String certificatePolicy, Boolean qcCompliance, boolean ocspResponder, boolean qcSSCD) throws IOException, InvalidKeyException, IllegalStateException, NoSuchAlgorithmException, SignatureException, CertificateException, OperatorCreationException { X500Name issuerName;//from w w w . j ava 2s. c o m if (null != issuerCertificate) { issuerName = new X500Name(issuerCertificate.getSubjectX500Principal().toString()); } else { issuerName = new X500Name(subjectDn); } X500Name subjectName = new X500Name(subjectDn); BigInteger serial = new BigInteger(128, new SecureRandom()); SubjectPublicKeyInfo publicKeyInfo = SubjectPublicKeyInfo.getInstance(subjectPublicKey.getEncoded()); X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(issuerName, serial, notBefore.toDate(), notAfter.toDate(), subjectName, publicKeyInfo); JcaX509ExtensionUtils extensionUtils = new JcaX509ExtensionUtils(); if (includeSKID) { x509v3CertificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, extensionUtils.createSubjectKeyIdentifier(subjectPublicKey)); } if (includeAKID) { PublicKey authorityPublicKey; if (null != akidPublicKey) { authorityPublicKey = akidPublicKey; } else if (null != issuerCertificate) { authorityPublicKey = issuerCertificate.getPublicKey(); } else { authorityPublicKey = subjectPublicKey; } x509v3CertificateBuilder.addExtension(Extension.authorityKeyIdentifier, false, extensionUtils.createAuthorityKeyIdentifier(authorityPublicKey)); } if (caFlag) { if (-1 == pathLength) { x509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(2147483647)); } else { x509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(pathLength)); } } if (null != crlUri) { GeneralName generalName = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(crlUri)); GeneralNames generalNames = new GeneralNames(generalName); DistributionPointName distPointName = new DistributionPointName(generalNames); DistributionPoint distPoint = new DistributionPoint(distPointName, null, null); DistributionPoint[] crlDistPoints = new DistributionPoint[] { distPoint }; CRLDistPoint crlDistPoint = new CRLDistPoint(crlDistPoints); x509v3CertificateBuilder.addExtension(Extension.cRLDistributionPoints, false, crlDistPoint); } if (null != ocspUri) { GeneralName ocspName = new GeneralName(GeneralName.uniformResourceIdentifier, ocspUri); AuthorityInformationAccess authorityInformationAccess = new AuthorityInformationAccess( X509ObjectIdentifiers.ocspAccessMethod, ocspName); x509v3CertificateBuilder.addExtension(Extension.authorityInfoAccess, false, authorityInformationAccess); } if (null != keyUsage) { x509v3CertificateBuilder.addExtension(Extension.keyUsage, true, keyUsage); } if (null != certificatePolicy) { ASN1ObjectIdentifier policyObjectIdentifier = new ASN1ObjectIdentifier(certificatePolicy); PolicyInformation policyInformation = new PolicyInformation(policyObjectIdentifier); x509v3CertificateBuilder.addExtension(Extension.certificatePolicies, false, new DERSequence(policyInformation)); } if (null != qcCompliance) { ASN1EncodableVector vec = new ASN1EncodableVector(); if (qcCompliance) { vec.add(new QCStatement(QCStatement.id_etsi_qcs_QcCompliance)); } else { vec.add(new QCStatement(QCStatement.id_etsi_qcs_RetentionPeriod)); } if (qcSSCD) { vec.add(new QCStatement(QCStatement.id_etsi_qcs_QcSSCD)); } x509v3CertificateBuilder.addExtension(Extension.qCStatements, true, new DERSequence(vec)); } if (tsa) { x509v3CertificateBuilder.addExtension(Extension.extendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_timeStamping)); } if (ocspResponder) { x509v3CertificateBuilder.addExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nocheck, false, DERNull.INSTANCE); x509v3CertificateBuilder.addExtension(Extension.extendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_OCSPSigning)); } AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find(signatureAlgorithm); AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId); AsymmetricKeyParameter asymmetricKeyParameter = PrivateKeyFactory.createKey(issuerPrivateKey.getEncoded()); ContentSigner contentSigner = new BcRSAContentSignerBuilder(sigAlgId, digAlgId) .build(asymmetricKeyParameter); X509CertificateHolder x509CertificateHolder = x509v3CertificateBuilder.build(contentSigner); byte[] encodedCertificate = x509CertificateHolder.getEncoded(); CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); X509Certificate certificate = (X509Certificate) certificateFactory .generateCertificate(new ByteArrayInputStream(encodedCertificate)); return certificate; }
From source file:eu.europa.esig.dss.test.gen.CertificateService.java
License:Open Source License
/** * Generate a CertificateToken suitable for a TSA * * @param algorithm//from w w w.j a va2 s .co m * @param keyPair * @param issuer * @param subject * @param notBefore * @param notAfter * @return * @throws CertIOException * @throws OperatorCreationException * @throws CertificateException * @throws IOException */ public CertificateToken generateTspCertificate(final SignatureAlgorithm algorithm, KeyPair keyPair, X500Name issuer, X500Name subject, final Date notBefore, final Date notAfter) throws CertIOException, OperatorCreationException, CertificateException, IOException { final SubjectPublicKeyInfo keyInfo = SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded()); final X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(issuer, new BigInteger("" + new Random().nextInt(10) + System.currentTimeMillis()), notBefore, notAfter, subject, keyInfo); certBuilder.addExtension(Extension.extendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_timeStamping)); final ContentSigner signer = new JcaContentSignerBuilder(algorithm.getJCEId()) .setProvider(BouncyCastleProvider.PROVIDER_NAME).build(keyPair.getPrivate()); final X509CertificateHolder holder = certBuilder.build(signer); final X509Certificate cert = (X509Certificate) CertificateFactory.getInstance("X509") .generateCertificate(new ByteArrayInputStream(holder.getEncoded())); return new CertificateToken(cert); }
From source file:net.link.util.common.KeyUtils.java
License:Open Source License
public static X509Certificate generateCertificate(PublicKey subjectPublicKey, String subjectDn, PrivateKey issuerPrivateKey, @Nullable X509Certificate issuerCert, DateTime notBefore, DateTime notAfter, String inSignatureAlgorithm, boolean caCert, boolean timeStampingPurpose, @Nullable URI ocspUri) {//from www . ja va2 s . com try { String signatureAlgorithm = inSignatureAlgorithm; if (null == signatureAlgorithm) signatureAlgorithm = String.format("SHA1With%s", issuerPrivateKey.getAlgorithm()); X509Principal issuerDN; if (null != issuerCert) issuerDN = new X509Principal(issuerCert.getSubjectX500Principal().toString()); else issuerDN = new X509Principal(subjectDn); // new bc 2.0 API X509Principal subject = new X509Principal(subjectDn); SubjectPublicKeyInfo publicKeyInfo = SubjectPublicKeyInfo.getInstance(subjectPublicKey.getEncoded()); BigInteger serialNumber = new BigInteger(SERIALNUMBER_NUM_BITS, new SecureRandom()); X509v3CertificateBuilder certificateBuilder = new X509v3CertificateBuilder( X500Name.getInstance(issuerDN.toASN1Primitive()), serialNumber, notBefore.toDate(), notAfter.toDate(), X500Name.getInstance(subject.toASN1Primitive()), publicKeyInfo); // prepare signer ContentSigner signer = new JcaContentSignerBuilder(signatureAlgorithm).build(issuerPrivateKey); certificateBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, createSubjectKeyId(subjectPublicKey)); PublicKey issuerPublicKey; if (null != issuerCert) issuerPublicKey = issuerCert.getPublicKey(); else issuerPublicKey = subjectPublicKey; certificateBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, createAuthorityKeyId(issuerPublicKey)); certificateBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(caCert)); if (timeStampingPurpose) certificateBuilder.addExtension(X509Extension.extendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_timeStamping)); if (null != ocspUri) { GeneralName ocspName = new GeneralName(GeneralName.uniformResourceIdentifier, ocspUri.toString()); AuthorityInformationAccess authorityInformationAccess = new AuthorityInformationAccess( X509ObjectIdentifiers.ocspAccessMethod, ocspName); certificateBuilder.addExtension(X509Extension.authorityInfoAccess, false, authorityInformationAccess); } // build return new JcaX509CertificateConverter().setProvider("BC") .getCertificate(certificateBuilder.build(signer)); } catch (CertificateException e) { throw new InternalInconsistencyException("X.509 is not supported.", e); } catch (OperatorCreationException e) { throw new InternalInconsistencyException(e); } catch (CertIOException e) { throw new InternalInconsistencyException(e); } }
From source file:net.link.util.test.pkix.PkiTestUtils.java
License:Open Source License
public static X509Certificate generateCertificate(PublicKey subjectPublicKey, String subjectDn, PrivateKey issuerPrivateKey, @Nullable X509Certificate issuerCert, DateTime notBefore, DateTime notAfter, @Nullable String signatureAlgorithm, boolean includeAuthorityKeyIdentifier, boolean caCert, boolean timeStampingPurpose, @Nullable URI ocspUri) throws IOException, CertificateException, OperatorCreationException { String finalSignatureAlgorithm = signatureAlgorithm; if (null == signatureAlgorithm) finalSignatureAlgorithm = "SHA512WithRSAEncryption"; X509Principal issuerDN;//from w w w . j av a2 s . c o m if (null != issuerCert) issuerDN = new X509Principal(issuerCert.getSubjectX500Principal().toString()); else issuerDN = new X509Principal(subjectDn); // new bc 2.0 API X509Principal subject = new X509Principal(subjectDn); SubjectPublicKeyInfo publicKeyInfo = SubjectPublicKeyInfo.getInstance(subjectPublicKey.getEncoded()); BigInteger serialNumber = new BigInteger(SERIALNUMBER_NUM_BITS, new SecureRandom()); X509v3CertificateBuilder certificateBuilder = new X509v3CertificateBuilder( X500Name.getInstance(issuerDN.toASN1Primitive()), serialNumber, notBefore.toDate(), notAfter.toDate(), X500Name.getInstance(subject.toASN1Primitive()), publicKeyInfo); // prepare signer ContentSigner signer = new JcaContentSignerBuilder(finalSignatureAlgorithm).build(issuerPrivateKey); // add extensions certificateBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, createSubjectKeyId(subjectPublicKey)); PublicKey issuerPublicKey; if (null != issuerCert) issuerPublicKey = issuerCert.getPublicKey(); else issuerPublicKey = subjectPublicKey; if (includeAuthorityKeyIdentifier) certificateBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, createAuthorityKeyId(issuerPublicKey)); certificateBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(caCert)); if (timeStampingPurpose) certificateBuilder.addExtension(X509Extension.extendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_timeStamping)); if (null != ocspUri) { GeneralName ocspName = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(ocspUri.toString())); AuthorityInformationAccess authorityInformationAccess = new AuthorityInformationAccess( X509ObjectIdentifiers.ocspAccessMethod, ocspName); certificateBuilder.addExtension(X509Extension.authorityInfoAccess, false, authorityInformationAccess); } // build return new JcaX509CertificateConverter().setProvider("BC").getCertificate(certificateBuilder.build(signer)); }
From source file:org.glite.slcs.pki.CertificateExtensionFactory.java
License:eu-egee.org license
/** * Creates a CertificateExtension. The id can be the OID or the name as * defined below. The values is a comma separated list of value(s) * <p>/*from ww w . j a va 2s.c o m*/ * Valid names and values: * <ul> * <li>KeyUsage * <ul> * <li>DigitalSignature * <li>NonRepudiation * <li>KeyEncipherment * <li>DataEncipherment * <li>KeyAgreement * <li>KeyCertSign * <li>CRLSign * <li>EncipherOnly * <li>DecipherOnly * </ul> * <li>ExtendedKeyUsage * <ul> * <li>AnyExtendedKeyUsage * <li>ServerAuth * <li>ClientAuth * <li>CodeSigning * <li>EmailProtection * <li>IPSecEndSystem * <li>IPSecTunnel * <li>IPSecUser * <li>OCSPSigning * <li>Smartcardlogon * </ul> * <li>CertificatePolicies * <ul> * <li>The policy OID(s) * </ul> * <li>SubjectAltName * <ul> * <li>email:EMAIL_ADDRESS * <li>dns:HOSTNAME * </ul> * </ul> * <p> * Example: * <pre> * CertificateExtension keyUsageExtension = * CertificateExtensionFactory.createCertificateExtension("KeyUsage", "DigitalSignature,KeyEncipherment"); * CertificateExtension subjectAltNameExtension = * CertificateExtensionFactory.createCertificateExtension("SubjectAltName", "email:john.doe@example.com,dns:www.exmaple.com"); * </pre> * * @param id * The name or the OID of the extension. * @param values * A comma separated list of extension value(s). * @return The corresponding CertificateExtension or <code>null</code> if * the id (name or oid) is not supported. */ static public CertificateExtension createCertificateExtension(String id, String values) { if (LOG.isDebugEnabled()) { LOG.debug("id:" + id + " value(s):" + values); } if (id.equals(X509Extensions.KeyUsage.getId()) || id.equalsIgnoreCase("KeyUsage")) { // parse the comma separated list of key usage int usage = 0; StringTokenizer st = new StringTokenizer(values, ","); while (st.hasMoreElements()) { String keyUsage = (String) st.nextElement(); keyUsage = keyUsage.trim(); if (keyUsage.equalsIgnoreCase("DigitalSignature")) { usage += KeyUsage.digitalSignature; } else if (keyUsage.equalsIgnoreCase("NonRepudiation")) { usage += KeyUsage.nonRepudiation; } else if (keyUsage.equalsIgnoreCase("KeyEncipherment")) { usage += KeyUsage.keyEncipherment; } else if (keyUsage.equalsIgnoreCase("DataEncipherment")) { usage += KeyUsage.dataEncipherment; } else if (keyUsage.equalsIgnoreCase("KeyAgreement")) { usage += KeyUsage.keyAgreement; } else if (keyUsage.equalsIgnoreCase("KeyCertSign")) { usage += KeyUsage.keyCertSign; } else if (keyUsage.equalsIgnoreCase("CRLSign")) { usage += KeyUsage.cRLSign; } else if (keyUsage.equalsIgnoreCase("EncipherOnly")) { usage += KeyUsage.encipherOnly; } else if (keyUsage.equalsIgnoreCase("DecipherOnly")) { usage += KeyUsage.decipherOnly; } else { LOG.error("Unknown KeyUsage: " + keyUsage); } } return createKeyUsageExtension(usage, values); } else if (id.equals(X509Extensions.ExtendedKeyUsage.getId()) || id.equalsIgnoreCase("ExtendedKeyUsage")) { // value is a comma separated list of keyPurpose Vector keyPurposeIds = new Vector(); StringTokenizer st = new StringTokenizer(values, ","); while (st.hasMoreElements()) { String keyPurpose = (String) st.nextElement(); keyPurpose = keyPurpose.trim(); if (keyPurpose.equalsIgnoreCase("AnyExtendedKeyUsage")) { keyPurposeIds.add(KeyPurposeId.anyExtendedKeyUsage); } else if (keyPurpose.equalsIgnoreCase("ServerAuth")) { keyPurposeIds.add(KeyPurposeId.id_kp_serverAuth); } else if (keyPurpose.equalsIgnoreCase("ClientAuth")) { keyPurposeIds.add(KeyPurposeId.id_kp_clientAuth); } else if (keyPurpose.equalsIgnoreCase("CodeSigning")) { keyPurposeIds.add(KeyPurposeId.id_kp_codeSigning); } else if (keyPurpose.equalsIgnoreCase("EmailProtection")) { keyPurposeIds.add(KeyPurposeId.id_kp_emailProtection); } else if (keyPurpose.equalsIgnoreCase("IPSecEndSystem")) { keyPurposeIds.add(KeyPurposeId.id_kp_ipsecEndSystem); } else if (keyPurpose.equalsIgnoreCase("IPSecTunnel")) { keyPurposeIds.add(KeyPurposeId.id_kp_ipsecTunnel); } else if (keyPurpose.equalsIgnoreCase("IPSecUser")) { keyPurposeIds.add(KeyPurposeId.id_kp_ipsecUser); } else if (keyPurpose.equalsIgnoreCase("TimeStamping")) { keyPurposeIds.add(KeyPurposeId.id_kp_timeStamping); } else if (keyPurpose.equalsIgnoreCase("OCSPSigning")) { keyPurposeIds.add(KeyPurposeId.id_kp_OCSPSigning); } else if (keyPurpose.equalsIgnoreCase("Smartcardlogon")) { keyPurposeIds.add(KeyPurposeId.id_kp_smartcardlogon); } else { LOG.error("Unknown ExtendedKeyUsage: " + keyPurpose); } } return createExtendedKeyUsageExtension(keyPurposeIds, values); } else if (id.equals(X509Extensions.CertificatePolicies.getId()) || id.equalsIgnoreCase("CertificatePolicies")) { // values is a comma separated list of policyOIDs Vector policyOIDs = new Vector(); StringTokenizer st = new StringTokenizer(values, ","); while (st.hasMoreElements()) { String policyOID = (String) st.nextElement(); policyOID = policyOID.trim(); policyOIDs.add(policyOID); } return createCertificatePoliciesExtension(policyOIDs, values); } else if (id.equals(X509Extensions.SubjectAlternativeName.getId()) || id.equalsIgnoreCase("SubjectAltName")) { // values is a comma separated list of altername names prefixed with // the type (email: or dns:) Vector typedSubjectAltNames = new Vector(); StringTokenizer st = new StringTokenizer(values, ","); while (st.hasMoreElements()) { String typedAltName = (String) st.nextElement(); typedAltName = typedAltName.trim(); typedSubjectAltNames.add(typedAltName); } return createSubjectAltNameExtension(typedSubjectAltNames, values); } LOG.error("Unsupported CertificateExtension: " + id); return null; }
From source file:org.mailster.gui.dialogs.CertificateDialog.java
License:Open Source License
private void generateExtensionNode(TreeItem parent, X509Certificate cert, X509Extensions extensions, String oid) {//from www . ja va2 s .co m DERObjectIdentifier derOID = new DERObjectIdentifier(oid); X509Extension ext = extensions.getExtension(derOID); if (ext.getValue() == null) return; byte[] octs = ext.getValue().getOctets(); ASN1InputStream dIn = new ASN1InputStream(octs); StringBuilder buf = new StringBuilder(); try { if (ext.isCritical()) buf.append(Messages.getString("MailsterSWT.dialog.certificate.criticalExt")); //$NON-NLS-1$ else buf.append(Messages.getString("MailsterSWT.dialog.certificate.nonCriticalExt")); //$NON-NLS-1$ if (derOID.equals(X509Extensions.BasicConstraints)) { BasicConstraints bc = new BasicConstraints((ASN1Sequence) dIn.readObject()); if (bc.isCA()) buf.append(Messages.getString("MailsterSWT.dialog.certificate.BasicConstraints.isCA")); //$NON-NLS-1$ else buf.append(Messages.getString("MailsterSWT.dialog.certificate.BasicConstraints.notCA")); //$NON-NLS-1$ buf.append(Messages.getString("MailsterSWT.dialog.certificate.BasicConstraints.maxIntermediateCA")); //$NON-NLS-1$ if (bc.getPathLenConstraint() == null || bc.getPathLenConstraint().intValue() == Integer.MAX_VALUE) buf.append(Messages.getString("MailsterSWT.dialog.certificate.BasicConstraints.unlimited")); //$NON-NLS-1$ else buf.append(bc.getPathLenConstraint()).append('\n'); generateNode(parent, Messages.getString(oid), buf); } else if (derOID.equals(X509Extensions.KeyUsage)) { KeyUsage us = new KeyUsage((DERBitString) dIn.readObject()); if ((us.intValue() & KeyUsage.digitalSignature) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.KeyUsage.digitalSignature")); //$NON-NLS-1$ if ((us.intValue() & KeyUsage.nonRepudiation) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.KeyUsage.nonRepudiation")); //$NON-NLS-1$ if ((us.intValue() & KeyUsage.keyEncipherment) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.KeyUsage.keyEncipherment")); //$NON-NLS-1$ if ((us.intValue() & KeyUsage.dataEncipherment) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.KeyUsage.dataEncipherment")); //$NON-NLS-1$ if ((us.intValue() & KeyUsage.keyAgreement) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.KeyUsage.keyAgreement")); //$NON-NLS-1$ if ((us.intValue() & KeyUsage.keyCertSign) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.KeyUsage.keyCertSign")); //$NON-NLS-1$ if ((us.intValue() & KeyUsage.cRLSign) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.KeyUsage.cRLSign")); //$NON-NLS-1$ if ((us.intValue() & KeyUsage.encipherOnly) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.KeyUsage.encipherOnly")); //$NON-NLS-1$ if ((us.intValue() & KeyUsage.decipherOnly) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.KeyUsage.decipherOnly")); //$NON-NLS-1$ generateNode(parent, Messages.getString(oid), buf); } else if (derOID.equals(X509Extensions.SubjectKeyIdentifier)) { SubjectKeyIdentifier id = new SubjectKeyIdentifier((DEROctetString) dIn.readObject()); generateNode(parent, Messages.getString(oid), buf.toString() + CertificateUtilities.byteArrayToString(id.getKeyIdentifier())); } else if (derOID.equals(X509Extensions.AuthorityKeyIdentifier)) { AuthorityKeyIdentifier id = new AuthorityKeyIdentifier((ASN1Sequence) dIn.readObject()); generateNode(parent, Messages.getString(oid), buf.toString() + id.getAuthorityCertSerialNumber()); } else if (derOID.equals(MiscObjectIdentifiers.netscapeRevocationURL)) { buf.append(new NetscapeRevocationURL((DERIA5String) dIn.readObject())).append("\n"); generateNode(parent, Messages.getString(oid), buf.toString()); } else if (derOID.equals(MiscObjectIdentifiers.verisignCzagExtension)) { buf.append(new VerisignCzagExtension((DERIA5String) dIn.readObject())).append("\n"); generateNode(parent, Messages.getString(oid), buf.toString()); } else if (derOID.equals(X509Extensions.CRLNumber)) { buf.append((DERInteger) dIn.readObject()).append("\n"); generateNode(parent, Messages.getString(oid), buf.toString()); } else if (derOID.equals(X509Extensions.ReasonCode)) { ReasonFlags rf = new ReasonFlags((DERBitString) dIn.readObject()); if ((rf.intValue() & ReasonFlags.unused) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.ReasonCode.unused")); //$NON-NLS-1$ if ((rf.intValue() & ReasonFlags.keyCompromise) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.ReasonCode.keyCompromise")); //$NON-NLS-1$ if ((rf.intValue() & ReasonFlags.cACompromise) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.ReasonCode.cACompromise")); //$NON-NLS-1$ if ((rf.intValue() & ReasonFlags.affiliationChanged) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.ReasonCode.affiliationChanged")); //$NON-NLS-1$ if ((rf.intValue() & ReasonFlags.superseded) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.ReasonCode.superseded")); //$NON-NLS-1$ if ((rf.intValue() & ReasonFlags.cessationOfOperation) > 0) buf.append( Messages.getString("MailsterSWT.dialog.certificate.ReasonCode.cessationOfOperation")); //$NON-NLS-1$ if ((rf.intValue() & ReasonFlags.certificateHold) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.ReasonCode.certificateHold")); //$NON-NLS-1$ if ((rf.intValue() & ReasonFlags.privilegeWithdrawn) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.ReasonCode.privilegeWithdrawn")); //$NON-NLS-1$ if ((rf.intValue() & ReasonFlags.aACompromise) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.ReasonCode.aACompromise")); //$NON-NLS-1$ generateNode(parent, Messages.getString(oid), buf.toString()); } else if (derOID.equals(MiscObjectIdentifiers.netscapeCertType)) { NetscapeCertType type = new NetscapeCertType((DERBitString) dIn.readObject()); if ((type.intValue() & NetscapeCertType.sslClient) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.NetscapeCertType.sslClient")); //$NON-NLS-1$ if ((type.intValue() & NetscapeCertType.sslServer) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.NetscapeCertType.sslServer")); //$NON-NLS-1$ if ((type.intValue() & NetscapeCertType.smime) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.NetscapeCertType.smime")); //$NON-NLS-1$ if ((type.intValue() & NetscapeCertType.objectSigning) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.NetscapeCertType.objectSigning")); //$NON-NLS-1$ if ((type.intValue() & NetscapeCertType.reserved) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.NetscapeCertType.reserved")); //$NON-NLS-1$ if ((type.intValue() & NetscapeCertType.sslCA) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.NetscapeCertType.sslCA")); //$NON-NLS-1$ if ((type.intValue() & NetscapeCertType.smimeCA) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.NetscapeCertType.smimeCA")); //$NON-NLS-1$ if ((type.intValue() & NetscapeCertType.objectSigningCA) > 0) buf.append( Messages.getString("MailsterSWT.dialog.certificate.NetscapeCertType.objectSigningCA")); //$NON-NLS-1$ generateNode(parent, Messages.getString(oid), buf.toString()); } else if (derOID.equals(X509Extensions.ExtendedKeyUsage)) { ExtendedKeyUsage eku = new ExtendedKeyUsage((ASN1Sequence) dIn.readObject()); if (eku.hasKeyPurposeId(KeyPurposeId.anyExtendedKeyUsage)) buf.append(Messages .getString("MailsterSWT.dialog.certificate.ExtendedKeyUsage.anyExtendedKeyUsage")); //$NON-NLS-1$ if (eku.hasKeyPurposeId(KeyPurposeId.id_kp_clientAuth)) buf.append( Messages.getString("MailsterSWT.dialog.certificate.ExtendedKeyUsage.id_kp_clientAuth")); //$NON-NLS-1$ if (eku.hasKeyPurposeId(KeyPurposeId.id_kp_codeSigning)) buf.append(Messages .getString("MailsterSWT.dialog.certificate.ExtendedKeyUsage.id_kp_codeSigning")); //$NON-NLS-1$ if (eku.hasKeyPurposeId(KeyPurposeId.id_kp_emailProtection)) buf.append(Messages .getString("MailsterSWT.dialog.certificate.ExtendedKeyUsage.id_kp_emailProtection")); //$NON-NLS-1$ if (eku.hasKeyPurposeId(KeyPurposeId.id_kp_ipsecEndSystem)) buf.append(Messages .getString("MailsterSWT.dialog.certificate.ExtendedKeyUsage.id_kp_ipsecEndSystem")); //$NON-NLS-1$ if (eku.hasKeyPurposeId(KeyPurposeId.id_kp_ipsecTunnel)) buf.append(Messages .getString("MailsterSWT.dialog.certificate.ExtendedKeyUsage.id_kp_ipsecTunnel")); //$NON-NLS-1$ if (eku.hasKeyPurposeId(KeyPurposeId.id_kp_ipsecUser)) buf.append( Messages.getString("MailsterSWT.dialog.certificate.ExtendedKeyUsage.id_kp_ipsecUser")); //$NON-NLS-1$ if (eku.hasKeyPurposeId(KeyPurposeId.id_kp_OCSPSigning)) buf.append(Messages .getString("MailsterSWT.dialog.certificate.ExtendedKeyUsage.id_kp_OCSPSigning")); //$NON-NLS-1$ if (eku.hasKeyPurposeId(KeyPurposeId.id_kp_serverAuth)) buf.append( Messages.getString("MailsterSWT.dialog.certificate.ExtendedKeyUsage.id_kp_serverAuth")); //$NON-NLS-1$ if (eku.hasKeyPurposeId(KeyPurposeId.id_kp_smartcardlogon)) buf.append(Messages .getString("MailsterSWT.dialog.certificate.ExtendedKeyUsage.id_kp_smartcardlogon")); //$NON-NLS-1$ if (eku.hasKeyPurposeId(KeyPurposeId.id_kp_timeStamping)) buf.append(Messages .getString("MailsterSWT.dialog.certificate.ExtendedKeyUsage.id_kp_timeStamping")); //$NON-NLS-1$ generateNode(parent, Messages.getString(oid), buf.toString()); } else generateNode(parent, MessageFormat.format(Messages.getString("MailsterSWT.dialog.certificate.objectIdentifier"), //$NON-NLS-1$ new Object[] { oid.replace('.', ' ') }), CertificateUtilities.byteArrayToString((cert.getExtensionValue(oid)))); } catch (Exception ex) { ex.printStackTrace(); } }
From source file:org.signserver.module.tsa.MSAuthCodeTimeStampSigner.java
License:Open Source License
@Override protected List<String> getFatalErrors() { final List<String> result = new LinkedList<String>(); result.addAll(super.getFatalErrors()); result.addAll(configErrors);/*from ww w. j a v a 2 s.c om*/ try { // Check signer certificate chain if required if (!validChain) { result.add("Not strictly valid chain and " + REQUIREVALIDCHAIN + " specified"); if (LOG.isDebugEnabled()) { LOG.debug("Signer " + workerId + ": " + REQUIREVALIDCHAIN + " specified but the chain was not found valid"); } } // Check if certificat has the required EKU final Certificate certificate = getSigningCertificate(); try { if (certificate instanceof X509Certificate) { final X509Certificate cert = (X509Certificate) certificate; final List<String> ekus = cert.getExtendedKeyUsage(); if (ekus == null || !ekus.contains(KeyPurposeId.id_kp_timeStamping.getId())) { result.add("Missing extended key usage timeStamping"); } if (cert.getCriticalExtensionOIDs() == null || !cert.getCriticalExtensionOIDs() .contains(org.bouncycastle.asn1.x509.X509Extension.extendedKeyUsage.getId())) { result.add("The extended key usage extension must be present and marked as critical"); } // if extended key usage contains timeStamping and also other // usages if (ekus != null && ekus.contains(KeyPurposeId.id_kp_timeStamping.getId()) && ekus.size() > 1) { result.add("No other extended key usages than timeStamping is allowed"); } } else { result.add("Unsupported certificate type"); } } catch (CertificateParsingException ex) { result.add("Unable to parse certificate"); if (LOG.isDebugEnabled()) { LOG.debug("Signer " + workerId + ": Unable to parse certificate: " + ex.getMessage()); } } } catch (CryptoTokenOfflineException ex) { result.add("No signer certificate available"); if (LOG.isDebugEnabled()) { LOG.debug("Signer " + workerId + ": Could not get signer certificate: " + ex.getMessage()); } } // check time source if (timeSource.getGenTime() == null) { result.add("Time source not available"); if (LOG.isDebugEnabled()) { LOG.debug("Signer " + workerId + ": time source not available"); } } return result; }
From source file:org.signserver.module.tsa.MSAuthCodeTimeStampSignerTest.java
License:Open Source License
/** * Test that setting a signer certificate with extended key usage * timeStamping set as non-critical results in a configuration error. * //w ww . jav a2 s .com * @throws Exception */ public void testWithTimestampingEKUNoCritical() throws Exception { testWithEKUs(new KeyPurposeId[] { KeyPurposeId.id_kp_timeStamping }, false, true, "The extended key usage extension must be present and marked as critical"); }
From source file:org.signserver.module.tsa.MSAuthCodeTimeStampSignerTest.java
License:Open Source License
/** * Test that setting a signer certificate with extended key usage * timeStamping set as critical results in no configuration error. * /*from w w w. ja v a 2s . c om*/ * @throws Exception */ public void testWithTimestampingEKUCritical() throws Exception { testWithEKUs(new KeyPurposeId[] { KeyPurposeId.id_kp_timeStamping }, true, false, null); }
From source file:org.signserver.module.tsa.MSAuthCodeTimeStampSignerTest.java
License:Open Source License
/** * Test that setting a signer certificate with additional extended key usage * in addition to timeStaming results in a configuration error. * /*from ww w . j a va 2 s.c o m*/ * @throws Exception */ public void testWithAdditionalEKU() throws Exception { testWithEKUs(new KeyPurposeId[] { KeyPurposeId.id_kp_timeStamping, KeyPurposeId.id_kp_emailProtection }, true, true, "No other extended key usages than timeStamping is allowed"); }