List of usage examples for org.bouncycastle.asn1.x509 X509Extensions getExtension
public X509Extension getExtension(ASN1ObjectIdentifier oid)
From source file:org.globus.gsi.util.CertificateUtil.java
License:Apache License
/** * Returns certificate type of the given TBS certificate. <BR> The * certificate type is {@link org.globus.gsi.GSIConstants.CertificateType#CA * GSIConstants.CertificateType.CA} <B>only</B> if the certificate contains a * BasicConstraints extension and it is marked as CA.<BR> A certificate is a * GSI-2 proxy when the subject DN of the certificate ends with * <I>"CN=proxy"</I> (certificate type {@link org.globus.gsi.GSIConstants.CertificateType#GSI_2_PROXY * GSIConstants.CertificateType.GSI_2_PROXY}) or <I>"CN=limited proxy"</I> (certificate * type {@link org.globus.gsi.GSIConstants.CertificateType#GSI_2_LIMITED_PROXY * GSIConstants.CertificateType.LIMITED_PROXY}) component and the issuer DN of the * certificate matches the subject DN without the last proxy <I>CN</I> * component.<BR> A certificate is a GSI-3 proxy when the subject DN of the * certificate ends with a <I>CN</I> component, the issuer DN of the * certificate matches the subject DN without the last <I>CN</I> component * and the certificate contains {@link ProxyCertInfo * ProxyCertInfo} critical extension. The certificate type is {@link * org.globus.gsi.GSIConstants.CertificateType#GSI_3_IMPERSONATION_PROXY * GSIConstants.CertificateType.GSI_3_IMPERSONATION_PROXY} if the policy language of the * {@link ProxyCertInfo ProxyCertInfo}/* w ww .j av a 2s .c om*/ * extension is set to {@link ProxyPolicy#IMPERSONATION * ProxyPolicy.IMPERSONATION} OID. The certificate type is {@link * org.globus.gsi.GSIConstants.CertificateType#GSI_3_LIMITED_PROXY * GSIConstants.CertificateType.GSI_3_LIMITED_PROXY} if the policy language of the {@link * ProxyCertInfo ProxyCertInfo} extension * is set to {@link ProxyPolicy#LIMITED * ProxyPolicy.LIMITED} OID. The certificate type is {@link * org.globus.gsi.GSIConstants.CertificateType#GSI_3_INDEPENDENT_PROXY * GSIConstants.CertificateType.GSI_3_INDEPENDENT_PROXY} if the policy language of the * {@link ProxyCertInfo ProxyCertInfo} * extension is set to {@link ProxyPolicy#INDEPENDENT * ProxyPolicy.INDEPENDENT} OID. The certificate type is {@link * org.globus.gsi.GSIConstants.CertificateType#GSI_3_RESTRICTED_PROXY * GSIConstants.CertificateType.GSI_3_RESTRICTED_PROXY} if the policy language of the * {@link ProxyCertInfo ProxyCertInfo} * extension is set to any other OID then the above.<BR> The certificate * type is {@link org.globus.gsi.GSIConstants.CertificateType#EEC * GSIConstants.CertificateType.EEC} if the certificate is not a CA certificate or a * GSI-2 or GSI-3 proxy. * * @param crt the TBS certificate to get the type of. * @return the certificate type. The certificate type is determined by rules * described above. * @throws java.io.IOException if something goes wrong. * @throws java.security.cert.CertificateException * for proxy certificates, if the issuer DN of * the certificate does not match the subject DN * of the certificate without the last <I>CN</I> * component. Also, for GSI-3 proxies when the * <code>ProxyCertInfo</code> extension is not * marked as critical. */ public static GSIConstants.CertificateType getCertificateType(TBSCertificateStructure crt) throws CertificateException, IOException { X509Extensions extensions = crt.getExtensions(); X509Extension ext = null; if (extensions != null) { ext = extensions.getExtension(X509Extension.basicConstraints); if (ext != null) { BasicConstraints basicExt = getBasicConstraints(ext); if (basicExt.isCA()) { return GSIConstants.CertificateType.CA; } } } GSIConstants.CertificateType type = GSIConstants.CertificateType.EEC; // does not handle multiple AVAs X500Name subject = crt.getSubject(); ASN1Set entry = X509NameHelper.getLastNameEntry(subject); ASN1Sequence ava = (ASN1Sequence) entry.getObjectAt(0); if (BCStyle.CN.equals(ava.getObjectAt(0))) { type = processCN(extensions, type, ava); } return type; }
From source file:org.globus.gsi.util.CertificateUtil.java
License:Apache License
private static GSIConstants.CertificateType processCN(X509Extensions extensions, GSIConstants.CertificateType type, ASN1Sequence ava) throws CertificateException { X509Extension ext;/*from w ww .jav a 2 s . com*/ String value = ((ASN1String) ava.getObjectAt(1)).getString(); GSIConstants.CertificateType certType = type; if (value.equalsIgnoreCase("proxy")) { certType = GSIConstants.CertificateType.GSI_2_PROXY; } else if (value.equalsIgnoreCase("limited proxy")) { certType = GSIConstants.CertificateType.GSI_2_LIMITED_PROXY; } else if (extensions != null) { boolean gsi4 = true; // GSI_4 ext = extensions.getExtension(ProxyCertInfo.OID); if (ext == null) { // GSI_3 ext = extensions.getExtension(ProxyCertInfo.OLD_OID); gsi4 = false; } if (ext != null) { if (ext.isCritical()) { certType = processCriticalExtension(ext, gsi4); } else { String err = "proxyCertCritical"; throw new CertificateException(err); } } } return certType; }
From source file:org.globus.gsi.util.CertificateUtil.java
License:Apache License
public static EnumSet<KeyUsage> getKeyUsage(TBSCertificateStructure crt) throws IOException { X509Extensions extensions = crt.getExtensions(); if (extensions == null) { return null; }/* ww w. ja v a2 s . c o m*/ X509Extension extension = extensions.getExtension(X509Extension.keyUsage); return (extension != null) ? getKeyUsage(extension) : null; }
From source file:org.globus.gsi.util.ProxyCertificateUtil.java
License:Apache License
public static ProxyCertInfo getProxyCertInfo(TBSCertificateStructure crt) throws IOException { X509Extensions extensions = crt.getExtensions(); if (extensions == null) { return null; }//from w w w .j a va2 s. c o m X509Extension ext = extensions.getExtension(ProxyCertInfo.OID); if (ext == null) { ext = extensions.getExtension(ProxyCertInfo.OLD_OID); } return (ext != null) ? getProxyCertInfo(ext) : null; }
From source file:org.globus.security.trustmanager.X509ProxyCertPathValidator.java
License:Apache License
@SuppressWarnings("unused") protected void checkProxyConstraints(TBSCertificateStructure proxy, TBSCertificateStructure issuer, X509Certificate checkedProxy) throws CertPathValidatorException, IOException { X509Extensions extensions; DERObjectIdentifier oid;//from w w w.j a va2 s. c om X509Extension proxyExtension; X509Extension proxyKeyUsage = null; extensions = proxy.getExtensions(); if (extensions != null) { Enumeration e = extensions.oids(); while (e.hasMoreElements()) { oid = (DERObjectIdentifier) e.nextElement(); proxyExtension = extensions.getExtension(oid); if (oid.equals(X509Extensions.SubjectAlternativeName) || oid.equals(X509Extensions.IssuerAlternativeName)) { // No Alt name extensions - 3.2 & 3.5 throw new CertPathValidatorException("Proxy violation: no Subject or Issuer Alternative Name"); } else if (oid.equals(X509Extensions.BasicConstraints)) { // Basic Constraint must not be true - 3.8 BasicConstraints basicExt = CertificateUtil.getBasicConstraints(proxyExtension); if (basicExt.isCA()) { throw new CertPathValidatorException("Proxy violation: Basic Constraint CA is set to true"); } } else if (oid.equals(X509Extensions.KeyUsage)) { proxyKeyUsage = proxyExtension; checkKeyUsage(issuer, proxyExtension); } } } extensions = issuer.getExtensions(); if (extensions != null) { Enumeration e = extensions.oids(); while (e.hasMoreElements()) { oid = (DERObjectIdentifier) e.nextElement(); proxyExtension = extensions.getExtension(oid); checkExtension(oid, proxyExtension, proxyKeyUsage); } } }
From source file:org.globus.security.util.CertificateUtil.java
License:Apache License
/** * Return CA Path constraint/*from www.j a v a 2 s . c o m*/ * * @param crt * @return * @throws IOException */ public static int getCAPathConstraint(TBSCertificateStructure crt) throws IOException { X509Extensions extensions = crt.getExtensions(); if (extensions == null) { return -1; } X509Extension proxyExtension = extensions.getExtension(X509Extensions.BasicConstraints); if (proxyExtension != null) { BasicConstraints basicExt = getBasicConstraints(proxyExtension); if (basicExt.isCA()) { BigInteger pathLen = basicExt.getPathLenConstraint(); return (pathLen == null) ? Integer.MAX_VALUE : pathLen.intValue(); } else { return -1; } } return -1; }
From source file:org.globus.security.util.CertificateUtil.java
License:Apache License
/** * Returns certificate type of the given TBS certificate. <BR> The * certificate type is {@link org.globus.security.Constants.CertificateType#CA * CertificateType.CA} <B>only</B> if the certificate contains a * BasicConstraints extension and it is marked as CA.<BR> A certificate is a * GSI-2 proxy when the subject DN of the certificate ends with * <I>"CN=proxy"</I> (certificate type {@link org.globus.security.Constants.CertificateType#GSI_2_PROXY * CertificateType.GSI_2_PROXY}) or <I>"CN=limited proxy"</I> (certificate * type {@link org.globus.security.Constants.CertificateType#GSI_2_LIMITED_PROXY * CertificateType.LIMITED_PROXY}) component and the issuer DN of the * certificate matches the subject DN without the last proxy <I>CN</I> * component.<BR> A certificate is a GSI-3 proxy when the subject DN of the * certificate ends with a <I>CN</I> component, the issuer DN of the * certificate matches the subject DN without the last <I>CN</I> component * and the certificate contains {@link org.globus.security.proxyExtension.ProxyCertInfo * ProxyCertInfo} critical extension. The certificate type is {@link * org.globus.security.Constants.CertificateType#GSI_3_IMPERSONATION_PROXY * CertificateType.GSI_3_IMPERSONATION_PROXY} if the policy language of the * {@link org.globus.security.proxyExtension.ProxyCertInfo ProxyCertInfo} * extension is set to {@link org.globus.security.proxyExtension.ProxyPolicy#IMPERSONATION * ProxyPolicy.IMPERSONATION} OID. The certificate type is {@link * org.globus.security.Constants.CertificateType#GSI_3_LIMITED_PROXY * CertificateType.GSI_3_LIMITED_PROXY} if the policy language of the {@link * org.globus.security.proxyExtension.ProxyCertInfo ProxyCertInfo} extension * is set to {@link org.globus.security.proxyExtension.ProxyPolicy#LIMITED * ProxyPolicy.LIMITED} OID. The certificate type is {@link * org.globus.security.Constants.CertificateType#GSI_3_INDEPENDENT_PROXY * CertificateType.GSI_3_INDEPENDENT_PROXY} if the policy language of the * {@link org.globus.security.proxyExtension.ProxyCertInfo ProxyCertInfo} * extension is set to {@link org.globus.security.proxyExtension.ProxyPolicy#INDEPENDENT * ProxyPolicy.INDEPENDENT} OID. The certificate type is {@link * org.globus.security.Constants.CertificateType#GSI_3_RESTRICTED_PROXY * CertificateType.GSI_3_RESTRICTED_PROXY} if the policy language of the * {@link org.globus.security.proxyExtension.ProxyCertInfo ProxyCertInfo} * extension is set to any other OID then the above.<BR> The certificate * type is {@link org.globus.security.Constants.CertificateType#EEC * CertificateType.EEC} if the certificate is not a CA certificate or a * GSI-2 or GSI-3 proxy.//from www . j a v a2 s . c o m * * @param crt the TBS certificate to get the type of. * @return the certificate type. The certificate type is determined by rules * described above. * @throws java.io.IOException if something goes wrong. * @throws java.security.cert.CertificateException * for proxy certificates, if the issuer DN of * the certificate does not match the subject DN * of the certificate without the last <I>CN</I> * component. Also, for GSI-3 proxies when the * <code>ProxyCertInfo</code> extension is not * marked as critical. */ public static Constants.CertificateType getCertificateType(TBSCertificateStructure crt) throws CertificateException, IOException { X509Extensions extensions = crt.getExtensions(); X509Extension ext = null; if (extensions != null) { ext = extensions.getExtension(X509Extensions.BasicConstraints); if (ext != null) { BasicConstraints basicExt = getBasicConstraints(ext); if (basicExt.isCA()) { return Constants.CertificateType.CA; } } } Constants.CertificateType type = Constants.CertificateType.EEC; // does not handle multiple AVAs X509Name subject = crt.getSubject(); ASN1Set entry = X509NameHelper.getLastNameEntry(subject); ASN1Sequence ava = (ASN1Sequence) entry.getObjectAt(0); if (X509Name.CN.equals(ava.getObjectAt(0))) { type = processCN(extensions, type, ava); } return type; }
From source file:org.globus.security.util.CertificateUtil.java
License:Apache License
private static Constants.CertificateType processCN(X509Extensions extensions, Constants.CertificateType type, ASN1Sequence ava) throws CertificateException { X509Extension ext;/* w w w . j a v a 2 s .c om*/ String value = ((DERString) ava.getObjectAt(1)).getString(); Constants.CertificateType certType = type; if (value.equalsIgnoreCase("proxy")) { certType = Constants.CertificateType.GSI_2_PROXY; } else if (value.equalsIgnoreCase("limited proxy")) { certType = Constants.CertificateType.GSI_2_LIMITED_PROXY; } else if (extensions != null) { boolean gsi4 = true; // GSI_4 ext = extensions.getExtension(Constants.PROXY_OID); if (ext == null) { // GSI_3 ext = extensions.getExtension(Constants.PROXY_OLD_OID); gsi4 = false; } if (ext != null) { if (ext.isCritical()) { certType = processCriticalExtension(ext, gsi4); } else { String err = "proxyCertCritical"; throw new CertificateException(err); } } } /** FIXME: this looks like validation if (ProxyCertificateUtil.isProxy(type)) { X509NameHelper iss = new X509NameHelper(crt.getIssuer()); iss.add((ASN1Set)BouncyCastleUtil.duplicate(entry)); X509Name issuer = iss.getAsName(); if (!issuer.equals(subject)) { String err = i18n.getMessage("proxyDNErr"); throw new CertificateException(err); } } */ return certType; }
From source file:org.globus.security.util.CertificateUtil.java
License:Apache License
public static boolean[] getKeyUsage(TBSCertificateStructure crt) throws IOException { X509Extensions extensions = crt.getExtensions(); if (extensions == null) { return new boolean[0]; }//from w w w .j a va2 s . c om X509Extension extension = extensions.getExtension(X509Extensions.KeyUsage); return (extension != null) ? getKeyUsage(extension) : new boolean[0]; }
From source file:org.globus.security.util.ProxyCertificateUtil.java
License:Apache License
public static ProxyCertInfo getProxyCertInfo(TBSCertificateStructure crt) throws IOException { X509Extensions extensions = crt.getExtensions(); if (extensions == null) { return null; }/*from w w w.jav a2 s .c o m*/ X509Extension ext = extensions.getExtension(Constants.PROXY_OID); if (ext == null) { ext = extensions.getExtension(Constants.PROXY_OLD_OID); } return (ext != null) ? getProxyCertInfo(ext) : null; }