List of usage examples for org.bouncycastle.asn1.x509 X509CertificateStructure getTBSCertificate
public TBSCertificateStructure getTBSCertificate()
From source file:com.yacme.ext.oxsit.cust_it.comp.security.cert.CertificateComplianceCA_IT.java
License:Open Source License
@Override public CertificateState verifyCertificateCompliance(XFrame _xFrame, Object _xComponent) throws IllegalArgumentException, Exception { m_xFrame = _xFrame;/*w w w . j av a2 s . c om*/ // TODO Auto-generated method stub m_xQc = (XOX_X509Certificate) UnoRuntime.queryInterface(XOX_X509Certificate.class, _xComponent); if (m_xQc == null) throw (new IllegalArgumentException( "XOX_CertificateComplianceControlProcedure#verifyCertificateCertificateCompliance wrong argument")); m_aCertificateState = CertificateState.OK; //convert the certificate to java internal representation try { m_JavaCert = Helpers.getCertificate(m_xQc);// (java.security.cert.X509Certificate) cf.generateCertificate(bais); //check for version, if version is not 3, exits, certificate cannot be used m_aCAState = CertificationAuthorityState.TRUSTED; if (m_JavaCert.getVersion() != 3) { m_xQc.setCertificateElementErrorState(GlobConstant.m_sX509_CERTIFICATE_VERSION, CertificateElementState.INVALID_value); setCertificateStateHelper(CertificateState.MALFORMED_CERTIFICATE); return m_aCertificateState; } //check for validity date try { /* // test for date information // not yet valid: // GregorianCalendar aCal = new GregorianCalendar(2008,12,12); // expired: // GregorianCalendar aCal = new GregorianCalendar(2019,12,12); m_JavaCert.checkValidity(aCal.getTime());*/ m_JavaCert.checkValidity(); //valid, set no CRL needed m_aCertStateConds = CertificateStateConditions.REVOCATION_CONTROL_NOT_NEEDED; } catch (CertificateExpiredException e) { m_xQc.setCertificateElementErrorState(GlobConstant.m_sX509_CERTIFICATE_NOT_AFTER, CertificateElementState.INVALID_value); setCertificateStateHelper(CertificateState.EXPIRED); m_aCAState = CertificationAuthorityState.TRUSTED_WITH_WARNING; m_xQc.getCertificateDisplayObj().setCertificateElementCommentString(CertificateElementID.NOT_AFTER, "The date is elapsed."); //check CRL of this certificate //commented due to excessive time out verifyCertifRevocHelper(); } catch (CertificateNotYetValidException e) { m_xQc.setCertificateElementErrorState(GlobConstant.m_sX509_CERTIFICATE_NOT_BEFORE, CertificateElementState.INVALID_value); setCertificateStateHelper(CertificateState.NOT_ACTIVE); m_aCAState = CertificationAuthorityState.TRUSTED_WITH_WARNING; m_xQc.getCertificateDisplayObj().setCertificateElementCommentString(CertificateElementID.NOT_BEFORE, "The date is not yet arrived."); } //check the KeyUsage extension /* int tempState = CertificateElementState.OK_value; if(!isKeyUsageNonRepudiationCritical(m_JavaCert)) { tempState = CertificateElementState.INVALID_value; setCertificateStateHelper(CertificateState.NOT_COMPLIANT); } m_xQc.setCertificateElementErrorState(X509Extensions.KeyUsage.getId(), tempState);*/ } catch (CertificateException e) { m_aLogger.severe(e); setCertificateStateHelper(CertificateState.MALFORMED_CERTIFICATE); throw (new com.sun.star.uno.Exception(" wrapped exception: ")); } //convert to Bouncy Castle representation ByteArrayInputStream as = new ByteArrayInputStream(m_xQc.getCertificateAttributes().getDEREncoded()); ASN1InputStream aderin = new ASN1InputStream(as); DERObject ado = null; try { ado = aderin.readObject(); X509CertificateStructure x509Str = new X509CertificateStructure((ASN1Sequence) ado); //check issuer field for conformance TBSCertificateStructure xTBSCert = x509Str.getTBSCertificate(); //check if either one of IssuerUniqueID or SubjectUniqueID is present //ETSI 102 280 5.3 if (!isOKUniqueIds(xTBSCert)) { setCertificateStateHelper(CertificateState.CORE_CERTIFICATE_ELEMENT_INVALID); return m_aCertificateState; } if (!isIssuerIdOk(xTBSCert)) { m_xQc.setCertificateElementErrorState("IssuerName", CertificateElementState.INVALID_value); setCertificateStateHelper(CertificateState.NOT_COMPLIANT); } /* //check if qcStatements are present //the function set the error itself if(!hasQcStatements(xTBSCert)) { return m_aCertificateState; }*/ } catch (java.io.IOException e) { m_aLogger.severe(e); setCertificateStateHelper(CertificateState.MALFORMED_CERTIFICATE); throw (new com.sun.star.uno.Exception(" wrapped exception: ")); } catch (java.lang.Exception e) { m_aLogger.severe(e); setCertificateStateHelper(CertificateState.MALFORMED_CERTIFICATE); throw (new com.sun.star.uno.Exception(" wrapped exception: ")); } return m_aCertificateState; }
From source file:com.yacme.ext.oxsit.cust_it.comp.security.cert.CertificateCompliance_IT.java
License:Open Source License
@Override public CertificateState verifyCertificateCompliance(XFrame _xFrame, Object arg0) throws IllegalArgumentException, Exception { m_xQc = (XOX_X509Certificate) UnoRuntime.queryInterface(XOX_X509Certificate.class, arg0); if (m_xQc == null) throw (new IllegalArgumentException( "XOX_CertificateComplianceProcedure#verifyCertificateCertificateCompliance wrong argument")); m_aCertificateState = CertificateState.OK; m_aLogger.log("verifyCertificateCompliance"); //convert the certificate to java internal representation java.security.cert.CertificateFactory cf; try {//from w w w .ja v a 2 s .co m cf = java.security.cert.CertificateFactory.getInstance("X.509"); java.io.ByteArrayInputStream bais = null; bais = new java.io.ByteArrayInputStream(m_xQc.getCertificateAttributes().getDEREncoded()); m_JavaCert = (java.security.cert.X509Certificate) cf.generateCertificate(bais); //check for version, if version is not 3, exits, certificate cannot be used if (m_JavaCert.getVersion() != 3) { m_xQc.setCertificateElementErrorState(GlobConstant.m_sX509_CERTIFICATE_VERSION, CertificateElementState.INVALID_value); setCertificateStateHelper(CertificateState.MALFORMED_CERTIFICATE); m_xQc.getCertificateDisplayObj().setCertificateElementCommentString(CertificateElementID.VERSION, "Version MUST be V3"); return m_aCertificateState; } //check for validity date try { /* //test for date information //not yet valid GregorianCalendar aCal = new GregorianCalendar(2008,12,12); //expired GregorianCalendar aCal = new GregorianCalendar(2019,12,12); m_JavaCert.checkValidity(aCal.getTime());*/ m_JavaCert.checkValidity(); } catch (CertificateExpiredException e) { m_xQc.setCertificateElementErrorState(GlobConstant.m_sX509_CERTIFICATE_NOT_AFTER, CertificateElementState.INVALID_value); setCertificateStateHelper(CertificateState.EXPIRED); m_xQc.getCertificateDisplayObj().setCertificateElementCommentString(CertificateElementID.NOT_AFTER, "The date is elapsed."); } catch (CertificateNotYetValidException e) { m_xQc.setCertificateElementErrorState(GlobConstant.m_sX509_CERTIFICATE_NOT_BEFORE, CertificateElementState.INVALID_value); setCertificateStateHelper(CertificateState.NOT_ACTIVE); m_xQc.getCertificateDisplayObj().setCertificateElementCommentString(CertificateElementID.NOT_BEFORE, "The date is not yet arrived."); } //check the KeyUsage extension int tempState = CertificateElementState.OK_value; if (!isKeyUsageNonRepudiationCritical(m_JavaCert)) { tempState = CertificateElementState.INVALID_value; setCertificateStateHelper(CertificateState.NOT_COMPLIANT); } m_xQc.setCertificateElementErrorState(X509Extensions.KeyUsage.getId(), tempState); } catch (CertificateException e) { m_aLogger.severe(e); setCertificateStateHelper(CertificateState.MALFORMED_CERTIFICATE); throw (new com.sun.star.uno.Exception(" wrapped exception: ")); } //convert to Bouncy Castle representation ByteArrayInputStream as = new ByteArrayInputStream(m_xQc.getCertificateAttributes().getDEREncoded()); ASN1InputStream aderin = new ASN1InputStream(as); DERObject ado = null; try { ado = aderin.readObject(); X509CertificateStructure x509Str = new X509CertificateStructure((ASN1Sequence) ado); //check issuer field for conformance TBSCertificateStructure xTBSCert = x509Str.getTBSCertificate(); //check if both IssuerUniqueID and SubjectUniqueID are present //ETSI 102 280 5.3 if (!isOKUniqueIds(xTBSCert)) { setCertificateStateHelper(CertificateState.CORE_CERTIFICATE_ELEMENT_INVALID); return m_aCertificateState; } if (!isIssuerIdOk(xTBSCert)) { m_xQc.setCertificateElementErrorState("IssuerName", CertificateElementState.INVALID_value); setCertificateStateHelper(CertificateState.NOT_COMPLIANT); } //check if qcStatements are present //the function set the error itself if (!hasQcStatements(xTBSCert)) { return m_aCertificateState; } } catch (java.io.IOException e) { m_aLogger.severe(e); setCertificateStateHelper(CertificateState.MALFORMED_CERTIFICATE); throw (new com.sun.star.uno.Exception(" wrapped exception: ")); } catch (java.lang.Exception e) { m_aLogger.severe(e); setCertificateStateHelper(CertificateState.MALFORMED_CERTIFICATE); throw (new com.sun.star.uno.Exception(" wrapped exception: ")); } return m_aCertificateState; }
From source file:com.yacme.ext.oxsit.pkcs11.PKCS11Driver.java
License:Open Source License
/** * Finds a certificate matching the one passed as parameter. * * @param _aCertificate//from w ww . j a v a2 s . c om * @return the handle of the certificate, or -1 if not found. * @throws PKCS11Exception * @throws CertificateEncodingException * @throws IOException */ public long findCertificate(X509Certificate _aCertificate) throws PKCS11Exception, CertificateEncodingException, IOException { long sessionHandle = getSession(); long certificateHandle = -1L; if (sessionHandle < 0 || _aCertificate == null) { return -1L; } m_aLogger.debug("find certificate."); ByteArrayInputStream as = new ByteArrayInputStream(_aCertificate.getEncoded()); ASN1InputStream aderin = new ASN1InputStream(as); DERObject ado; ado = aderin.readObject(); X509CertificateStructure m_aX509 = new X509CertificateStructure((ASN1Sequence) ado); // now get the certificate with the same ID as the signature key int idx = 0; CK_ATTRIBUTE[] attributeTemplateList = new CK_ATTRIBUTE[4]; attributeTemplateList[idx] = new CK_ATTRIBUTE(); attributeTemplateList[idx].type = PKCS11Constants.CKA_CLASS; attributeTemplateList[idx++].pValue = new Long(PKCS11Constants.CKO_CERTIFICATE); attributeTemplateList[idx] = new CK_ATTRIBUTE(); attributeTemplateList[idx].type = PKCS11Constants.CKA_SUBJECT; attributeTemplateList[idx++].pValue = m_aX509.getTBSCertificate().getSubject().getDEREncoded(); attributeTemplateList[idx] = new CK_ATTRIBUTE(); attributeTemplateList[idx].type = PKCS11Constants.CKA_ISSUER; attributeTemplateList[idx++].pValue = m_aX509.getTBSCertificate().getIssuer().getDEREncoded(); byte[] ar = m_aX509.getTBSCertificate().getSerialNumber().getDEREncoded(); byte[] sn = new byte[3]; sn[0] = ar[2]; sn[1] = ar[3]; sn[2] = ar[4]; ar = m_aX509.getTBSCertificate().getSerialNumber().getEncoded(); ar = m_aX509.getTBSCertificate().getSerialNumber().getEncoded("BER"); attributeTemplateList[idx] = new CK_ATTRIBUTE(); attributeTemplateList[idx].type = PKCS11Constants.CKA_SERIAL_NUMBER; attributeTemplateList[idx++].pValue = sn; /* attributeTemplateList[idx] = new CK_ATTRIBUTE(); attributeTemplateList[idx].type = PKCS11Constants.CKA_SUBJECT; attributeTemplateList[idx++].pValue = _aCertificate.getSubjectX500Principal().getEncoded();*/ /* attributeTemplateList[idx] = new CK_ATTRIBUTE(); attributeTemplateList[idx].type = PKCS11Constants.CKA_ISSUER; attributeTemplateList[idx++].pValue = _aCertificate.getIssuerX500Principal().getEncoded(); //now we need to get the serial number of the certificate, we need the DER // version ByteArrayInputStream as = new ByteArrayInputStream(_aCertificate.getEncoded()); ASN1InputStream aderin = new ASN1InputStream(as); DERObject ado; ado = aderin.readObject(); X509CertificateStructure m_aX509 = new X509CertificateStructure((ASN1Sequence) ado); attributeTemplateList[idx] = new CK_ATTRIBUTE(); attributeTemplateList[idx].type = PKCS11Constants.CKA_SERIAL_NUMBER; attributeTemplateList[idx++].pValue = m_aX509.getTBSCertificate().toASN1Object().getObjectAT(1);//getSerialNumber().getDERObject().getDEREncoded();// getEncoded(); //getDEREncoded(); no */ pkcs11Module.C_FindObjectsInit(getSession(), attributeTemplateList); long[] availableCertificates = pkcs11Module.C_FindObjects(getSession(), 100); //maximum of 100 at once if (availableCertificates == null || availableCertificates.length == 0) { m_aLogger.log("null returned - no certificate found"); } else { m_aLogger.debug("found " + availableCertificates.length + " certificates with matching attributes."); for (int i = 0; i < availableCertificates.length; i++) { if (i == 0) { // the first we find, we take as our certificate certificateHandle = availableCertificates[i]; if (certificateHandle > 0L) { // now get the certificate with the same ID as the signature key CK_ATTRIBUTE[] attributeTemplateListR = new CK_ATTRIBUTE[3]; attributeTemplateListR[0] = new CK_ATTRIBUTE(); attributeTemplateListR[0].type = PKCS11Constants.CKA_SERIAL_NUMBER; attributeTemplateListR[1] = new CK_ATTRIBUTE(); attributeTemplateListR[1].type = PKCS11Constants.CKA_LABEL; attributeTemplateListR[2] = new CK_ATTRIBUTE(); attributeTemplateListR[2].type = PKCS11Constants.CKA_ID; pkcs11Module.C_GetAttributeValue(getSession(), certificateHandle, attributeTemplateListR); byte[] certificateSN = null; if (attributeTemplateListR[0].pValue != null) { certificateSN = (byte[]) attributeTemplateListR[0].pValue; if (certificateSN != null) { m_aLogger.debug("CKA_SERIAL_NUMBER " + Helpers.printHexBytes(certificateSN)); } } if (attributeTemplateListR[1].pValue != null) { attributeTemplateListR[1].pValue.toString(); String aLabel = new String((char[]) attributeTemplateListR[1].pValue); m_aLogger.debug("CKA_LABEL '" + aLabel + "'"); } if (attributeTemplateListR[2].pValue != null) { certificateSN = (byte[]) attributeTemplateListR[2].pValue; if (certificateSN != null) { m_aLogger.debug("CKA_ID " + Helpers.printHexBytes(certificateSN)); } } } } m_aLogger.debug("certificate " + i); } } pkcs11Module.C_FindObjectsFinal(getSession()); //get serial number of this certificate return certificateHandle; }
From source file:ec.rubrica.util.BouncyCastleUtils.java
License:Open Source License
public static boolean certificateHasPolicy(X509Certificate cert, String sOid) { try {// w w w. j av a 2s . c om logger.fine("Read cert policies: " + cert.getSerialNumber().toString()); ByteArrayInputStream bIn = new ByteArrayInputStream(cert.getEncoded()); ASN1InputStream aIn = new ASN1InputStream(bIn); ASN1Sequence seq = (ASN1Sequence) aIn.readObject(); X509CertificateStructure obj = new X509CertificateStructure(seq); TBSCertificateStructure tbsCert = obj.getTBSCertificate(); if (tbsCert.getVersion() == 3) { X509Extensions ext = tbsCert.getExtensions(); if (ext != null) { Enumeration en = ext.oids(); while (en.hasMoreElements()) { DERObjectIdentifier oid = (DERObjectIdentifier) en.nextElement(); X509Extension extVal = ext.getExtension(oid); ASN1OctetString oct = extVal.getValue(); ASN1InputStream extIn = new ASN1InputStream(new ByteArrayInputStream(oct.getOctets())); if (oid.equals(X509Extension.certificatePolicies)) { ASN1Sequence cp = (ASN1Sequence) extIn.readObject(); for (int i = 0; i != cp.size(); i++) { PolicyInformation pol = PolicyInformation.getInstance(cp.getObjectAt(i)); DERObjectIdentifier dOid = pol.getPolicyIdentifier(); String soid2 = dOid.getId(); logger.fine("Policy: " + soid2); if (soid2.startsWith(sOid)) return true; } } } } } } catch (Exception ex) { logger.severe("Error reading cert policies: " + ex); } return false; }
From source file:org.mailster.core.crypto.CertificateUtilities.java
License:Open Source License
public static X509Extensions getExtensions(X509Certificate cert) throws Exception { ByteArrayInputStream bis = new ByteArrayInputStream(cert.getEncoded()); ASN1InputStream ais = new ASN1InputStream(bis); DERObject o = ais.readObject();// w w w . j a va 2 s . c o m X509CertificateStructure struct = X509CertificateStructure.getInstance(o); return struct.getTBSCertificate().getExtensions(); }