List of usage examples for org.bouncycastle.asn1.x509 TBSCertificateStructure getSubject
public X500Name getSubject()
From source file:org.globus.gsi.bc.BouncyCastleUtil.java
License:Apache License
public static GSIConstants.CertificateType getCertificateType(TBSCertificateStructure crt, TrustedCertificates trustedCerts) throws CertificateException, IOException { GSIConstants.CertificateType type = getCertificateType(crt); // check subject of the cert in trusted cert list // to make sure the cert is not a ca cert if (type == GSIConstants.CertificateType.EEC) { if (trustedCerts == null) { trustedCerts = TrustedCertificates.getDefaultTrustedCertificates(); }// www .j av a2 s . c o m if (trustedCerts != null && trustedCerts.getCertificate(crt.getSubject().toString()) != null) { type = GSIConstants.CertificateType.CA; } } return type; }
From source file:org.globus.gsi.bc.BouncyCastleUtil.java
License:Apache License
/** * Returns certificate type of the given TBS certificate. <BR> * The certificate type is {@link GSIConstants#CA GSIConstants.CA} * <B>only</B> if the certificate contains a * BasicConstraints extension and it is marked as CA.<BR> * A certificate is a GSI-2 proxy when the subject DN of the certificate * ends with <I>"CN=proxy"</I> (certificate type {@link * GSIConstants#GSI_2_PROXY GSIConstants.GSI_2_PROXY}) or * <I>"CN=limited proxy"</I> (certificate type {@link * GSIConstants#GSI_2_LIMITED_PROXY GSIConstants.LIMITED_PROXY}) component * and the issuer DN of the certificate matches the subject DN without * the last proxy <I>CN</I> component.<BR> * A certificate is a GSI-3 proxy when the subject DN of the certificate * ends with a <I>CN</I> component, the issuer DN of the certificate * matches the subject DN without the last <I>CN</I> component and * the certificate contains {@link ProxyCertInfo ProxyCertInfo} critical * extension./*from w ww. j av a 2 s .c om*/ * The certificate type is {@link GSIConstants#GSI_3_IMPERSONATION_PROXY * GSIConstants.GSI_3_IMPERSONATION_PROXY} if the policy language of * the {@link ProxyCertInfo ProxyCertInfo} extension is set to * {@link ProxyPolicy#IMPERSONATION ProxyPolicy.IMPERSONATION} OID. * The certificate type is {@link GSIConstants#GSI_3_LIMITED_PROXY * GSIConstants.GSI_3_LIMITED_PROXY} if the policy language of * the {@link ProxyCertInfo ProxyCertInfo} extension is set to * {@link ProxyPolicy#LIMITED ProxyPolicy.LIMITED} OID. * The certificate type is {@link GSIConstants#GSI_3_INDEPENDENT_PROXY * GSIConstants.GSI_3_INDEPENDENT_PROXY} if the policy language of * the {@link ProxyCertInfo ProxyCertInfo} extension is set to * {@link ProxyPolicy#INDEPENDENT ProxyPolicy.INDEPENDENT} OID. * The certificate type is {@link GSIConstants#GSI_3_RESTRICTED_PROXY * GSIConstants.GSI_3_RESTRICTED_PROXY} if the policy language of * the {@link ProxyCertInfo ProxyCertInfo} extension is set to * any other OID then the above.<BR> * The certificate type is {@link GSIConstants#EEC GSIConstants.EEC} * if the certificate is not a CA certificate or a GSI-2 or GSI-3 proxy. * * @param crt the TBS certificate to get the type of. * @return the certificate type. The certificate type is determined * by rules described above. * @exception IOException if something goes wrong. * @exception CertificateException for proxy certificates, if * the issuer DN of the certificate does not match * the subject DN of the certificate without the * last <I>CN</I> component. Also, for GSI-3 proxies * when the <code>ProxyCertInfo</code> extension is * not marked as critical. */ private static GSIConstants.CertificateType getCertificateType(TBSCertificateStructure crt) throws CertificateException, IOException { X509Extensions extensions = crt.getExtensions(); X509Extension ext = null; if (extensions != null) { ext = extensions.getExtension(X509Extension.basicConstraints); if (ext != null) { BasicConstraints basicExt = BasicConstraints.getInstance(ext); if (basicExt.isCA()) { return GSIConstants.CertificateType.CA; } } } GSIConstants.CertificateType type = GSIConstants.CertificateType.EEC; // does not handle multiple AVAs X500Name subject = crt.getSubject(); ASN1Set entry = X509NameHelper.getLastNameEntry(subject); ASN1Sequence ava = (ASN1Sequence) entry.getObjectAt(0); if (BCStyle.CN.equals(ava.getObjectAt(0))) { String value = ((ASN1String) ava.getObjectAt(1)).getString(); if (value.equalsIgnoreCase("proxy")) { type = GSIConstants.CertificateType.GSI_2_PROXY; } else if (value.equalsIgnoreCase("limited proxy")) { type = GSIConstants.CertificateType.GSI_2_LIMITED_PROXY; } else if (extensions != null) { boolean gsi4 = true; // GSI_4 ext = extensions.getExtension(ProxyCertInfo.OID); if (ext == null) { // GSI_3 ext = extensions.getExtension(ProxyCertInfo.OLD_OID); gsi4 = false; } if (ext != null) { if (ext.isCritical()) { ProxyCertInfo proxyCertExt = getProxyCertInfo(ext); ProxyPolicy proxyPolicy = proxyCertExt.getProxyPolicy(); ASN1ObjectIdentifier oid = proxyPolicy.getPolicyLanguage(); if (ProxyPolicy.IMPERSONATION.equals(oid)) { if (gsi4) { type = GSIConstants.CertificateType.GSI_4_IMPERSONATION_PROXY; } else { type = GSIConstants.CertificateType.GSI_3_IMPERSONATION_PROXY; } } else if (ProxyPolicy.INDEPENDENT.equals(oid)) { if (gsi4) { type = GSIConstants.CertificateType.GSI_4_INDEPENDENT_PROXY; } else { type = GSIConstants.CertificateType.GSI_3_INDEPENDENT_PROXY; } } else if (ProxyPolicy.LIMITED.equals(oid)) { if (gsi4) { type = GSIConstants.CertificateType.GSI_4_LIMITED_PROXY; } else { type = GSIConstants.CertificateType.GSI_3_LIMITED_PROXY; } } else { if (gsi4) { type = GSIConstants.CertificateType.GSI_4_RESTRICTED_PROXY; } else { type = GSIConstants.CertificateType.GSI_3_RESTRICTED_PROXY; } } } else { String err = i18n.getMessage("proxyCertCritical"); throw new CertificateException(err); } } } if (ProxyCertificateUtil.isProxy(type)) { X509NameHelper iss = new X509NameHelper(crt.getIssuer()); iss.add((ASN1Set) BouncyCastleUtil.duplicate(entry)); X509Name issuer = iss.getAsName(); if (!issuer.equals(X509Name.getInstance(subject))) { String err = i18n.getMessage("proxyDNErr"); throw new CertificateException(err); } } } return type; }
From source file:org.globus.gsi.trustmanager.X509ProxyCertPathValidator.java
License:Apache License
protected void checkKeyUsage(TBSCertificateStructure issuer) throws CertPathValidatorException, IOException { EnumSet<KeyUsage> issuerKeyUsage = CertificateUtil.getKeyUsage(issuer); if (issuerKeyUsage != null && !issuerKeyUsage.contains(KeyUsage.KEY_CERTSIGN)) { throw new CertPathValidatorException( "Certificate " + issuer.getSubject() + " violated key usage policy."); }/*from ww w. j a va2 s . co m*/ }
From source file:org.globus.gsi.util.CertificateUtil.java
License:Apache License
/** * Returns certificate type of the given TBS certificate. <BR> The * certificate type is {@link org.globus.gsi.GSIConstants.CertificateType#CA * GSIConstants.CertificateType.CA} <B>only</B> if the certificate contains a * BasicConstraints extension and it is marked as CA.<BR> A certificate is a * GSI-2 proxy when the subject DN of the certificate ends with * <I>"CN=proxy"</I> (certificate type {@link org.globus.gsi.GSIConstants.CertificateType#GSI_2_PROXY * GSIConstants.CertificateType.GSI_2_PROXY}) or <I>"CN=limited proxy"</I> (certificate * type {@link org.globus.gsi.GSIConstants.CertificateType#GSI_2_LIMITED_PROXY * GSIConstants.CertificateType.LIMITED_PROXY}) component and the issuer DN of the * certificate matches the subject DN without the last proxy <I>CN</I> * component.<BR> A certificate is a GSI-3 proxy when the subject DN of the * certificate ends with a <I>CN</I> component, the issuer DN of the * certificate matches the subject DN without the last <I>CN</I> component * and the certificate contains {@link ProxyCertInfo * ProxyCertInfo} critical extension. The certificate type is {@link * org.globus.gsi.GSIConstants.CertificateType#GSI_3_IMPERSONATION_PROXY * GSIConstants.CertificateType.GSI_3_IMPERSONATION_PROXY} if the policy language of the * {@link ProxyCertInfo ProxyCertInfo}/*from ww w . ja v a2 s . com*/ * extension is set to {@link ProxyPolicy#IMPERSONATION * ProxyPolicy.IMPERSONATION} OID. The certificate type is {@link * org.globus.gsi.GSIConstants.CertificateType#GSI_3_LIMITED_PROXY * GSIConstants.CertificateType.GSI_3_LIMITED_PROXY} if the policy language of the {@link * ProxyCertInfo ProxyCertInfo} extension * is set to {@link ProxyPolicy#LIMITED * ProxyPolicy.LIMITED} OID. The certificate type is {@link * org.globus.gsi.GSIConstants.CertificateType#GSI_3_INDEPENDENT_PROXY * GSIConstants.CertificateType.GSI_3_INDEPENDENT_PROXY} if the policy language of the * {@link ProxyCertInfo ProxyCertInfo} * extension is set to {@link ProxyPolicy#INDEPENDENT * ProxyPolicy.INDEPENDENT} OID. The certificate type is {@link * org.globus.gsi.GSIConstants.CertificateType#GSI_3_RESTRICTED_PROXY * GSIConstants.CertificateType.GSI_3_RESTRICTED_PROXY} if the policy language of the * {@link ProxyCertInfo ProxyCertInfo} * extension is set to any other OID then the above.<BR> The certificate * type is {@link org.globus.gsi.GSIConstants.CertificateType#EEC * GSIConstants.CertificateType.EEC} if the certificate is not a CA certificate or a * GSI-2 or GSI-3 proxy. * * @param crt the TBS certificate to get the type of. * @return the certificate type. The certificate type is determined by rules * described above. * @throws java.io.IOException if something goes wrong. * @throws java.security.cert.CertificateException * for proxy certificates, if the issuer DN of * the certificate does not match the subject DN * of the certificate without the last <I>CN</I> * component. Also, for GSI-3 proxies when the * <code>ProxyCertInfo</code> extension is not * marked as critical. */ public static GSIConstants.CertificateType getCertificateType(TBSCertificateStructure crt) throws CertificateException, IOException { X509Extensions extensions = crt.getExtensions(); X509Extension ext = null; if (extensions != null) { ext = extensions.getExtension(X509Extension.basicConstraints); if (ext != null) { BasicConstraints basicExt = getBasicConstraints(ext); if (basicExt.isCA()) { return GSIConstants.CertificateType.CA; } } } GSIConstants.CertificateType type = GSIConstants.CertificateType.EEC; // does not handle multiple AVAs X500Name subject = crt.getSubject(); ASN1Set entry = X509NameHelper.getLastNameEntry(subject); ASN1Sequence ava = (ASN1Sequence) entry.getObjectAt(0); if (BCStyle.CN.equals(ava.getObjectAt(0))) { type = processCN(extensions, type, ava); } return type; }
From source file:org.globus.security.trustmanager.X509ProxyCertPathValidator.java
License:Apache License
protected void checkKeyUsage(TBSCertificateStructure issuer) throws CertPathValidatorException, IOException { boolean[] issuerKeyUsage = CertificateUtil.getKeyUsage(issuer); if (issuerKeyUsage != null && issuerKeyUsage.length > 0 && !issuerKeyUsage[CertificateUtil.KEY_CERTSIGN]) { throw new CertPathValidatorException( "Certificate " + issuer.getSubject() + " violated key usage policy."); }// w ww .j a v a 2s . co m }
From source file:org.globus.security.util.CertificateUtil.java
License:Apache License
/** * Returns certificate type of the given TBS certificate. <BR> The * certificate type is {@link org.globus.security.Constants.CertificateType#CA * CertificateType.CA} <B>only</B> if the certificate contains a * BasicConstraints extension and it is marked as CA.<BR> A certificate is a * GSI-2 proxy when the subject DN of the certificate ends with * <I>"CN=proxy"</I> (certificate type {@link org.globus.security.Constants.CertificateType#GSI_2_PROXY * CertificateType.GSI_2_PROXY}) or <I>"CN=limited proxy"</I> (certificate * type {@link org.globus.security.Constants.CertificateType#GSI_2_LIMITED_PROXY * CertificateType.LIMITED_PROXY}) component and the issuer DN of the * certificate matches the subject DN without the last proxy <I>CN</I> * component.<BR> A certificate is a GSI-3 proxy when the subject DN of the * certificate ends with a <I>CN</I> component, the issuer DN of the * certificate matches the subject DN without the last <I>CN</I> component * and the certificate contains {@link org.globus.security.proxyExtension.ProxyCertInfo * ProxyCertInfo} critical extension. The certificate type is {@link * org.globus.security.Constants.CertificateType#GSI_3_IMPERSONATION_PROXY * CertificateType.GSI_3_IMPERSONATION_PROXY} if the policy language of the * {@link org.globus.security.proxyExtension.ProxyCertInfo ProxyCertInfo} * extension is set to {@link org.globus.security.proxyExtension.ProxyPolicy#IMPERSONATION * ProxyPolicy.IMPERSONATION} OID. The certificate type is {@link * org.globus.security.Constants.CertificateType#GSI_3_LIMITED_PROXY * CertificateType.GSI_3_LIMITED_PROXY} if the policy language of the {@link * org.globus.security.proxyExtension.ProxyCertInfo ProxyCertInfo} extension * is set to {@link org.globus.security.proxyExtension.ProxyPolicy#LIMITED * ProxyPolicy.LIMITED} OID. The certificate type is {@link * org.globus.security.Constants.CertificateType#GSI_3_INDEPENDENT_PROXY * CertificateType.GSI_3_INDEPENDENT_PROXY} if the policy language of the * {@link org.globus.security.proxyExtension.ProxyCertInfo ProxyCertInfo} * extension is set to {@link org.globus.security.proxyExtension.ProxyPolicy#INDEPENDENT * ProxyPolicy.INDEPENDENT} OID. The certificate type is {@link * org.globus.security.Constants.CertificateType#GSI_3_RESTRICTED_PROXY * CertificateType.GSI_3_RESTRICTED_PROXY} if the policy language of the * {@link org.globus.security.proxyExtension.ProxyCertInfo ProxyCertInfo} * extension is set to any other OID then the above.<BR> The certificate * type is {@link org.globus.security.Constants.CertificateType#EEC * CertificateType.EEC} if the certificate is not a CA certificate or a * GSI-2 or GSI-3 proxy./*from w w w . j a v a2s . co m*/ * * @param crt the TBS certificate to get the type of. * @return the certificate type. The certificate type is determined by rules * described above. * @throws java.io.IOException if something goes wrong. * @throws java.security.cert.CertificateException * for proxy certificates, if the issuer DN of * the certificate does not match the subject DN * of the certificate without the last <I>CN</I> * component. Also, for GSI-3 proxies when the * <code>ProxyCertInfo</code> extension is not * marked as critical. */ public static Constants.CertificateType getCertificateType(TBSCertificateStructure crt) throws CertificateException, IOException { X509Extensions extensions = crt.getExtensions(); X509Extension ext = null; if (extensions != null) { ext = extensions.getExtension(X509Extensions.BasicConstraints); if (ext != null) { BasicConstraints basicExt = getBasicConstraints(ext); if (basicExt.isCA()) { return Constants.CertificateType.CA; } } } Constants.CertificateType type = Constants.CertificateType.EEC; // does not handle multiple AVAs X509Name subject = crt.getSubject(); ASN1Set entry = X509NameHelper.getLastNameEntry(subject); ASN1Sequence ava = (ASN1Sequence) entry.getObjectAt(0); if (X509Name.CN.equals(ava.getObjectAt(0))) { type = processCN(extensions, type, ava); } return type; }