List of usage examples for org.bouncycastle.asn1.x509.qualified RFC3739QCObjectIdentifiers id_qcs_pkixQCSyntax_v2
ASN1ObjectIdentifier id_qcs_pkixQCSyntax_v2
To view the source code for org.bouncycastle.asn1.x509.qualified RFC3739QCObjectIdentifiers id_qcs_pkixQCSyntax_v2.
Click Source Link
From source file:org.cesecore.certificates.certificate.certextensions.standard.QcStatement.java
License:Open Source License
@Override public ASN1Encodable getValue(final EndEntityInformation subject, final CA ca, final CertificateProfile certProfile, final PublicKey userPublicKey, final PublicKey caPublicKey, CertificateValidity val) throws CertificateExtensionException { DERSequence ret = null;//from ww w . j a va2 s .com final String names = certProfile.getQCStatementRAName(); final GeneralNames san = CertTools.getGeneralNamesFromAltName(names); SemanticsInformation si = null; if (san != null) { if (StringUtils.isNotEmpty(certProfile.getQCSemanticsId())) { si = new SemanticsInformation(new ASN1ObjectIdentifier(certProfile.getQCSemanticsId()), san.getNames()); } else { si = new SemanticsInformation(san.getNames()); } } else if (StringUtils.isNotEmpty(certProfile.getQCSemanticsId())) { si = new SemanticsInformation(new ASN1ObjectIdentifier(certProfile.getQCSemanticsId())); } final ArrayList<QCStatement> qcs = new ArrayList<QCStatement>(); QCStatement qc = null; // First the standard rfc3739 QCStatement with an optional SematicsInformation // We never add RFC3739QCObjectIdentifiers.id_qcs_pkixQCSyntax_v1. This is so old so we think it has never been used in the wild basically. // That means no need to have code we have to maintain for that. if (certProfile.getUsePkixQCSyntaxV2()) { ASN1ObjectIdentifier pkixQcSyntax = RFC3739QCObjectIdentifiers.id_qcs_pkixQCSyntax_v2; if ((si != null)) { qc = new QCStatement(pkixQcSyntax, si); qcs.add(qc); } else { qc = new QCStatement(pkixQcSyntax); qcs.add(qc); } } // ETSI Statement that the certificate is a Qualified Certificate if (certProfile.getUseQCEtsiQCCompliance()) { qc = new QCStatement(ETSIQCObjectIdentifiers.id_etsi_qcs_QcCompliance); qcs.add(qc); } // ETSI Statement regarding limit on the value of transactions // Both value and currency must be available for this extension if (certProfile.getUseQCEtsiValueLimit() && (certProfile.getQCEtsiValueLimit() >= 0) && (certProfile.getQCEtsiValueLimitCurrency() != null)) { final int limit = certProfile.getQCEtsiValueLimit(); // The exponent should be default 0 final int exponent = certProfile.getQCEtsiValueLimitExp(); final MonetaryValue value = new MonetaryValue( new Iso4217CurrencyCode(certProfile.getQCEtsiValueLimitCurrency()), limit, exponent); qc = new QCStatement(ETSIQCObjectIdentifiers.id_etsi_qcs_LimiteValue, value); qcs.add(qc); } if (certProfile.getUseQCEtsiRetentionPeriod()) { final ASN1Integer years = new ASN1Integer(((Integer) certProfile.getQCEtsiRetentionPeriod())); qc = new QCStatement(ETSIQCObjectIdentifiers.id_etsi_qcs_RetentionPeriod, years); qcs.add(qc); } // ETSI Statement claiming that the private key resides in a Signature Creation Device if (certProfile.getUseQCEtsiSignatureDevice()) { qc = new QCStatement(ETSIQCObjectIdentifiers.id_etsi_qcs_QcSSCD); qcs.add(qc); } // Custom UTF8String QC-statement: // qcStatement-YourCustom QC-STATEMENT ::= { SYNTAX YourCustomUTF8String // IDENTIFIED BY youroid } // -- This statement gives you the possibility to define your own QC-statement // -- using an OID and a simple UTF8String, with describing text. A sample text could for example be: // -- This certificate, according to Act. No. xxxx Electronic Signature Law is a qualified electronic certificate // // YourCustomUTF8String ::= UTF8String if (certProfile.getUseQCCustomString() && !StringUtils.isEmpty(certProfile.getQCCustomStringOid()) && !StringUtils.isEmpty(certProfile.getQCCustomStringText())) { final DERUTF8String str = new DERUTF8String(certProfile.getQCCustomStringText()); final ASN1ObjectIdentifier oid = new ASN1ObjectIdentifier(certProfile.getQCCustomStringOid()); qc = new QCStatement(oid, str); qcs.add(qc); } if (!qcs.isEmpty()) { final ASN1EncodableVector vec = new ASN1EncodableVector(); final Iterator<QCStatement> iter = qcs.iterator(); while (iter.hasNext()) { final QCStatement q = (QCStatement) iter.next(); vec.add(q); } ret = new DERSequence(vec); } if (ret == null) { log.error( "Qualified certificate statements extension has been enabled, but no statements were included!"); throw new CertificateExtensionException( "If qualified certificate statements extension has been enabled, at least one statement must be included!"); } return ret; }
From source file:org.cesecore.certificates.util.cert.QCStatementExtension.java
License:Open Source License
/** Returns the 'NameRegistrationAuthorities' defined in the QCStatement extension (rfc3739). * //from w ww .j a v a 2 s.c o m * @param cert Certificate containing the extension * @return String with for example 'rfc822Name=foo2bar.se, rfc822Name=bar2foo.se' etc. Supports email, dns and uri name, or null of no RAs are found. * @throws IOException if there is a problem parsing the certificate */ public static String getQcStatementAuthorities(final Certificate cert) throws IOException { String ret = null; if (cert instanceof X509Certificate) { final X509Certificate x509cert = (X509Certificate) cert; final ASN1Primitive obj = getExtensionValue(x509cert, Extension.qCStatements.getId()); if (obj == null) { return null; } final ASN1Sequence seq = (ASN1Sequence) obj; SemanticsInformation si = null; // Look through all the QCStatements and see if we have a standard RFC3739 pkixQCSyntax for (int i = 0; i < seq.size(); i++) { final QCStatement qc = QCStatement.getInstance(seq.getObjectAt(i)); final ASN1ObjectIdentifier oid = qc.getStatementId(); if ((oid != null) && (oid.equals(RFC3739QCObjectIdentifiers.id_qcs_pkixQCSyntax_v1) || oid.equals(RFC3739QCObjectIdentifiers.id_qcs_pkixQCSyntax_v2))) { // We MAY have a SemanticsInformation object here final ASN1Encodable enc = qc.getStatementInfo(); if (enc != null) { si = SemanticsInformation.getInstance(enc); // We can break the loop now, we got it! break; } } } if (si != null) { final GeneralName[] gns = si.getNameRegistrationAuthorities(); if (gns == null) { return null; } final StringBuilder strBuf = new StringBuilder(); for (int i = 0; i < gns.length; i++) { final GeneralName gn = gns[i]; if (strBuf.length() != 0) { // Append comma so we get nice formatting if there are more than one authority strBuf.append(", "); } final String str = getGeneralNameString(gn.getTagNo(), gn.getName()); if (str != null) { strBuf.append(str); } } if (strBuf.length() > 0) { ret = strBuf.toString(); } } } return ret; }
From source file:org.cesecore.util.CertToolsTest.java
License:Open Source License
@Test public void test14QCStatement() throws Exception { Certificate cert = CertTools.getCertfromByteArray(qcRefCert); // log.debug(cert); assertEquals("rfc822name=municipality@darmstadt.de", QCStatementExtension.getQcStatementAuthorities(cert)); Collection<String> ids = QCStatementExtension.getQcStatementIds(cert); assertTrue(ids.contains(RFC3739QCObjectIdentifiers.id_qcs_pkixQCSyntax_v2.getId())); Certificate cert2 = CertTools.getCertfromByteArray(qcPrimeCert); assertEquals("rfc822name=qc@primekey.se", QCStatementExtension.getQcStatementAuthorities(cert2)); ids = QCStatementExtension.getQcStatementIds(cert2); assertTrue(ids.contains(RFC3739QCObjectIdentifiers.id_qcs_pkixQCSyntax_v1.getId())); assertTrue(ids.contains(ETSIQCObjectIdentifiers.id_etsi_qcs_QcCompliance.getId())); assertTrue(ids.contains(ETSIQCObjectIdentifiers.id_etsi_qcs_QcSSCD.getId())); assertTrue(ids.contains(ETSIQCObjectIdentifiers.id_etsi_qcs_LimiteValue.getId())); String limit = QCStatementExtension.getQcStatementValueLimit(cert2); assertEquals("50000 SEK", limit); }
From source file:org.ejbca.core.ejb.ca.sign.SignSessionWithRsaTest.java
License:Open Source License
/** Tests creating a certificate with QC statement */ @Test//from w w w . ja va 2s .co m public void testQcCert() throws Exception { log.trace(">test10TestQcCert()"); final String qcCertProfileName = "TESTQC"; final String qcCertEndEntityName = "TESTQC"; // Create a good certificate profile (good enough), using QC statement certificateProfileSession.removeCertificateProfile(internalAdmin, qcCertProfileName); final CertificateProfile certprof = new CertificateProfile( CertificateProfileConstants.CERTPROFILE_FIXED_ENDUSER); certprof.setUseQCStatement(true); certprof.setQCStatementRAName("rfc822Name=qc@primekey.se"); certprof.setUseQCEtsiQCCompliance(true); certprof.setUseQCEtsiSignatureDevice(true); certprof.setUseQCEtsiValueLimit(true); certprof.setQCEtsiValueLimit(50000); certprof.setQCEtsiValueLimitCurrency("SEK"); certificateProfileSession.addCertificateProfile(internalAdmin, qcCertProfileName, certprof); int cprofile = certificateProfileSession.getCertificateProfileId(qcCertProfileName); // Create a good end entity profile (good enough), allowing multiple UPN // names endEntityProfileSession.removeEndEntityProfile(internalAdmin, qcCertProfileName); EndEntityProfile profile = new EndEntityProfile(); profile.addField(DnComponents.COUNTRY); profile.addField(DnComponents.COMMONNAME); profile.setValue(EndEntityProfile.AVAILCAS, 0, Integer.toString(SecConst.ALLCAS)); profile.setValue(EndEntityProfile.AVAILCERTPROFILES, 0, Integer.toString(cprofile)); endEntityProfileSession.addEndEntityProfile(internalAdmin, qcCertProfileName, profile); int eeprofile = endEntityProfileSession.getEndEntityProfileId(qcCertProfileName); int rsacaid = caSession.getCAInfo(internalAdmin, getTestCAName()).getCAId(); KeyPair anotheKey = KeyTools.genKeys("1024", AlgorithmConstants.KEYALGORITHM_RSA); createEndEntity(qcCertEndEntityName, eeprofile, cprofile, rsacaid); try { // Change a user that we know... EndEntityInformation endEntity = new EndEntityInformation(qcCertEndEntityName, "C=SE,CN=qc", rsacaid, null, "foo@anatom.nu", EndEntityConstants.STATUS_NEW, EndEntityTypes.ENDUSER.toEndEntityType(), eeprofile, cprofile, null, null, SecConst.TOKEN_SOFT_PEM, 0, null); endEntity.setPassword("foo123"); endEntityManagementSession.changeUser(internalAdmin, endEntity, false); log.debug("created user: foo, foo123, C=SE, CN=qc"); X509Certificate cert = (X509Certificate) signSession.createCertificate(internalAdmin, qcCertEndEntityName, "foo123", new PublicKeyWrapper(anotheKey.getPublic())); assertNotNull("Failed to create certificate", cert); String dn = cert.getSubjectDN().getName(); assertEquals(CertTools.stringToBCDNString("cn=qc,c=SE"), CertTools.stringToBCDNString(dn)); // Since we do not have pkixQCSyntax_v1 or pkixQCSyntax_v2, no semanticsId will be added assertNull("rfc822name=qc@primekey.se", QCStatementExtension.getQcStatementAuthorities(cert)); Collection<String> ids = QCStatementExtension.getQcStatementIds(cert); // This certificate should neither have the deprecated pkixQCSyntax_v1 (we do not support it) or pkixQCSyntax_v2 (not selected9 assertFalse(ids.contains(RFC3739QCObjectIdentifiers.id_qcs_pkixQCSyntax_v1.getId())); assertFalse(ids.contains(RFC3739QCObjectIdentifiers.id_qcs_pkixQCSyntax_v2.getId())); assertTrue(ids.contains(ETSIQCObjectIdentifiers.id_etsi_qcs_QcCompliance.getId())); assertTrue(ids.contains(ETSIQCObjectIdentifiers.id_etsi_qcs_QcSSCD.getId())); assertTrue(ids.contains(ETSIQCObjectIdentifiers.id_etsi_qcs_LimiteValue.getId())); String limit = QCStatementExtension.getQcStatementValueLimit(cert); assertEquals("50000 SEK", limit); // Test pkixQCSyntax_v2, where a semanticsId will also be added certprof.setUsePkixQCSyntaxV2(true); certificateProfileSession.changeCertificateProfile(internalAdmin, qcCertProfileName, certprof); endEntityManagementSession.changeUser(internalAdmin, endEntity, false); log.debug("created user: foo, foo123, C=SE, CN=qc"); cert = (X509Certificate) signSession.createCertificate(internalAdmin, qcCertEndEntityName, "foo123", new PublicKeyWrapper(anotheKey.getPublic())); assertNotNull("Failed to create certificate", cert); dn = cert.getSubjectDN().getName(); assertEquals(CertTools.stringToBCDNString("cn=qc,c=SE"), CertTools.stringToBCDNString(dn)); // Since we have pkixQCSyntax_v2, a semanticsId will be added assertEquals("rfc822name=qc@primekey.se", QCStatementExtension.getQcStatementAuthorities(cert)); ids = QCStatementExtension.getQcStatementIds(cert); // This certificate should neither have the deprecated pkixQCSyntax_v1 (we do not support it) or pkixQCSyntax_v2 (not selected9 assertFalse(ids.contains(RFC3739QCObjectIdentifiers.id_qcs_pkixQCSyntax_v1.getId())); assertTrue(ids.contains(RFC3739QCObjectIdentifiers.id_qcs_pkixQCSyntax_v2.getId())); assertTrue(ids.contains(ETSIQCObjectIdentifiers.id_etsi_qcs_QcCompliance.getId())); assertTrue(ids.contains(ETSIQCObjectIdentifiers.id_etsi_qcs_QcSSCD.getId())); assertTrue(ids.contains(ETSIQCObjectIdentifiers.id_etsi_qcs_LimiteValue.getId())); assertEquals("50000 SEK", QCStatementExtension.getQcStatementValueLimit(cert)); } finally { // Clean up endEntityProfileSession.removeEndEntityProfile(internalAdmin, qcCertProfileName); certificateProfileSession.removeCertificateProfile(internalAdmin, qcCertProfileName); endEntityManagementSession.deleteUser(internalAdmin, qcCertEndEntityName); } log.trace("<test10TestQcCert()"); }
From source file:org.ejbca.core.model.ca.certextensions.standard.QcStatement.java
License:Open Source License
@Override public DEREncodable getValue(final UserDataVO subject, final CA ca, final CertificateProfile certProfile, final PublicKey userPublicKey, final PublicKey caPublicKey) throws CertificateExtentionConfigurationException, CertificateExtensionException { DERSequence ret = null;//from ww w .j a v a2 s.c o m final String names = certProfile.getQCStatementRAName(); final GeneralNames san = CertTools.getGeneralNamesFromAltName(names); SemanticsInformation si = null; if (san != null) { if (StringUtils.isNotEmpty(certProfile.getQCSemanticsId())) { si = new SemanticsInformation(new DERObjectIdentifier(certProfile.getQCSemanticsId()), san.getNames()); } else { si = new SemanticsInformation(san.getNames()); } } else if (StringUtils.isNotEmpty(certProfile.getQCSemanticsId())) { si = new SemanticsInformation(new DERObjectIdentifier(certProfile.getQCSemanticsId())); } final ArrayList<QCStatement> qcs = new ArrayList<QCStatement>(); QCStatement qc = null; // First the standard rfc3739 QCStatement with an optional SematicsInformation DERObjectIdentifier pkixQcSyntax = RFC3739QCObjectIdentifiers.id_qcs_pkixQCSyntax_v1; if (certProfile.getUsePkixQCSyntaxV2()) { pkixQcSyntax = RFC3739QCObjectIdentifiers.id_qcs_pkixQCSyntax_v2; } if ((si != null)) { qc = new QCStatement(pkixQcSyntax, si); qcs.add(qc); } else { qc = new QCStatement(pkixQcSyntax); qcs.add(qc); } // ETSI Statement that the certificate is a Qualified Certificate if (certProfile.getUseQCEtsiQCCompliance()) { qc = new QCStatement(ETSIQCObjectIdentifiers.id_etsi_qcs_QcCompliance); qcs.add(qc); } // ETSI Statement regarding limit on the value of transactions // Both value and currency must be available for this extension if (certProfile.getUseQCEtsiValueLimit() && (certProfile.getQCEtsiValueLimit() >= 0) && (certProfile.getQCEtsiValueLimitCurrency() != null)) { final int limit = certProfile.getQCEtsiValueLimit(); // The exponent should be default 0 final int exponent = certProfile.getQCEtsiValueLimitExp(); final MonetaryValue value = new MonetaryValue( new Iso4217CurrencyCode(certProfile.getQCEtsiValueLimitCurrency()), limit, exponent); qc = new QCStatement(ETSIQCObjectIdentifiers.id_etsi_qcs_LimiteValue, value); qcs.add(qc); } if (certProfile.getUseQCEtsiRetentionPeriod()) { final DERInteger years = new DERInteger(((Integer) certProfile.getQCEtsiRetentionPeriod())); qc = new QCStatement(ETSIQCObjectIdentifiers.id_etsi_qcs_RetentionPeriod, years); qcs.add(qc); } // ETSI Statement claiming that the private key resides in a Signature Creation Device if (certProfile.getUseQCEtsiSignatureDevice()) { qc = new QCStatement(ETSIQCObjectIdentifiers.id_etsi_qcs_QcSSCD); qcs.add(qc); } // Custom UTF8String QC-statement: // qcStatement-YourCustom QC-STATEMENT ::= { SYNTAX YourCustomUTF8String // IDENTIFIED BY youroid } // -- This statement gives you the possibility to define your own QC-statement // -- using an OID and a simple UTF8String, with describing text. A sample text could for example be: // -- This certificate, according to Act. No. xxxx Electronic Signature Law is a qualified electronic certificate // // YourCustomUTF8String ::= UTF8String if (certProfile.getUseQCCustomString() && !StringUtils.isEmpty(certProfile.getQCCustomStringOid()) && !StringUtils.isEmpty(certProfile.getQCCustomStringText())) { final DERUTF8String str = new DERUTF8String(certProfile.getQCCustomStringText()); final DERObjectIdentifier oid = new DERObjectIdentifier(certProfile.getQCCustomStringOid()); qc = new QCStatement(oid, str); qcs.add(qc); } if (!qcs.isEmpty()) { final ASN1EncodableVector vec = new ASN1EncodableVector(); final Iterator<QCStatement> iter = qcs.iterator(); while (iter.hasNext()) { final QCStatement q = (QCStatement) iter.next(); vec.add(q); } ret = new DERSequence(vec); } if (ret == null) { log.error("QcStatements is used, but no statement defined!"); } return ret; }
From source file:org.ejbca.util.cert.QCStatementExtension.java
License:Open Source License
/** Returns the 'NameRegistrationAuthorities' defined in the QCStatement extension (rfc3739). * //from w ww.j a va 2s . com * @param cert Certificate containing the extension * @return String with for example 'rfc822Name=foo2bar.se, rfc822Name=bar2foo.se' etc. Supports email, dns and uri name, or null of no RAs are found. * @throws IOException if there is a problem parsing the certificate */ public static String getQcStatementAuthorities(final Certificate cert) throws IOException { String ret = null; if (cert instanceof X509Certificate) { final X509Certificate x509cert = (X509Certificate) cert; final DERObject obj = getExtensionValue(x509cert, X509Extensions.QCStatements.getId()); if (obj == null) { return null; } final ASN1Sequence seq = (ASN1Sequence) obj; SemanticsInformation si = null; // Look through all the QCStatements and see if we have a standard RFC3739 pkixQCSyntax for (int i = 0; i < seq.size(); i++) { final QCStatement qc = QCStatement.getInstance(seq.getObjectAt(i)); final DERObjectIdentifier oid = qc.getStatementId(); if ((oid != null) && (oid.equals(RFC3739QCObjectIdentifiers.id_qcs_pkixQCSyntax_v1) || oid.equals(RFC3739QCObjectIdentifiers.id_qcs_pkixQCSyntax_v2))) { // We MAY have a SemanticsInformation object here final ASN1Encodable enc = qc.getStatementInfo(); if (enc != null) { si = SemanticsInformation.getInstance(enc); // We can break the loop now, we got it! break; } } } if (si != null) { final GeneralName[] gns = si.getNameRegistrationAuthorities(); if (gns == null) { return null; } final StringBuilder strBuf = new StringBuilder(); for (int i = 0; i < gns.length; i++) { final GeneralName gn = gns[i]; if (strBuf.length() != 0) { // Append comma so we get nice formatting if there are more than one authority strBuf.append(", "); } final String str = getGeneralNameString(gn.getTagNo(), gn.getName()); if (str != null) { strBuf.append(str); } } if (strBuf.length() > 0) { ret = strBuf.toString(); } } } return ret; }
From source file:org.ejbca.util.CertToolsTest.java
License:Open Source License
public void test14QCStatement() throws Exception { Certificate cert = CertTools.getCertfromByteArray(qcRefCert); // log.debug(cert); assertEquals("rfc822name=municipality@darmstadt.de", QCStatementExtension.getQcStatementAuthorities(cert)); Collection<String> ids = QCStatementExtension.getQcStatementIds(cert); assertTrue(ids.contains(RFC3739QCObjectIdentifiers.id_qcs_pkixQCSyntax_v2.getId())); Certificate cert2 = CertTools.getCertfromByteArray(qcPrimeCert); assertEquals("rfc822name=qc@primekey.se", QCStatementExtension.getQcStatementAuthorities(cert2)); ids = QCStatementExtension.getQcStatementIds(cert2); assertTrue(ids.contains(RFC3739QCObjectIdentifiers.id_qcs_pkixQCSyntax_v1.getId())); assertTrue(ids.contains(ETSIQCObjectIdentifiers.id_etsi_qcs_QcCompliance.getId())); assertTrue(ids.contains(ETSIQCObjectIdentifiers.id_etsi_qcs_QcSSCD.getId())); assertTrue(ids.contains(ETSIQCObjectIdentifiers.id_etsi_qcs_LimiteValue.getId())); String limit = QCStatementExtension.getQcStatementValueLimit(cert2); assertEquals("50000 SEK", limit); }