List of usage examples for org.bouncycastle.asn1.x509 X509Extensions QCStatements
ASN1ObjectIdentifier QCStatements
To view the source code for org.bouncycastle.asn1.x509 X509Extensions QCStatements.
Click Source Link
From source file:com.yacme.ext.oxsit.cust_it.comp.security.cert.CertificateComplianceCA_IT.java
License:Open Source License
/** * check if qcStatements are present as per ETSI * @param _TbsC //from w ww. j av a2 s .c o m * @return */ private boolean hasQcStatements(TBSCertificateStructure _TbsC) { //first check for CNIPA requirement //then check for ETSI 102 280 requirements //then check for ETSI 101 862 //qcstatements are defined in ETSI 101 862 X509Extensions xExt = _TbsC.getExtensions(); X509Extension qcStats = xExt.getExtension(X509Extensions.QCStatements); if (qcStats == null) { //no qcStatement setCertificateStateHelper(CertificateState.MISSING_EXTENSION); m_aLogger.log("missing qcStatements"); return false; } int numberOfChecksOk = 4; //if this drops to zero, //it's not marked critical if (!qcStats.isCritical()) numberOfChecksOk--; ASN1Sequence dns = (ASN1Sequence) X509Extension.convertValueToObject(qcStats); for (int i = 0; i < dns.size(); i++) { QCStatement qcs = QCStatement.getInstance(dns.getObjectAt(i)); if (QCStatement.id_etsi_qcs_QcCompliance.equals(qcs.getStatementId())) numberOfChecksOk--; if (QCStatement.id_etsi_qcs_QcSSCD.equals(qcs.getStatementId())) numberOfChecksOk--; if (QCStatement.id_etsi_qcs_RetentionPeriod.equals(qcs.getStatementId())) numberOfChecksOk--; } if (numberOfChecksOk != 0) { m_xQc.setCertificateElementErrorState(X509Extensions.QCStatements.getId(), CertificateElementState.INVALID_value); setCertificateStateHelper(CertificateState.ERROR_IN_EXTENSION); return false; } return true; }
From source file:com.yacme.ext.oxsit.cust_it.comp.security.cert.CertificateCompliance_IT.java
License:Open Source License
/** * check if qcStatements are present as per ETSI * @param _TbsC //from ww w .ja va 2s . c o m * @return */ private boolean hasQcStatements(TBSCertificateStructure _TbsC) { //first check for CNIPA requirement //then check for ETSI 102 280 requirements //then check for ETSI 101 862 //qcstatements are defined in ETSI 101 862 X509Extensions xExt = _TbsC.getExtensions(); X509Extension qcStats = xExt.getExtension(X509Extensions.QCStatements); if (qcStats == null) { //no qcStatement setCertificateStateHelper(CertificateState.MISSING_EXTENSION); m_aLogger.log("missing qcStatements"); String s = m_xQc.getCertificateDisplayObj() .getCertificateElementCommentString(CertificateElementID.NOT_CRITICAL_EXTENSION); s = s + "\r"; m_xQc.getCertificateDisplayObj().setCertificateElementCommentString( CertificateElementID.NOT_CRITICAL_EXTENSION, s + "qcStatement missing"); return false; } int numberOfChecksOk = 4; //if this drops to zero, //it's not marked critical if (!qcStats.isCritical()) numberOfChecksOk--; ASN1Sequence dns = (ASN1Sequence) X509Extension.convertValueToObject(qcStats); for (int i = 0; i < dns.size(); i++) { QCStatement qcs = QCStatement.getInstance(dns.getObjectAt(i)); if (QCStatement.id_etsi_qcs_QcCompliance.equals(qcs.getStatementId())) numberOfChecksOk--; if (QCStatement.id_etsi_qcs_QcSSCD.equals(qcs.getStatementId())) numberOfChecksOk--; if (QCStatement.id_etsi_qcs_RetentionPeriod.equals(qcs.getStatementId())) numberOfChecksOk--; } if (numberOfChecksOk != 0) { m_xQc.setCertificateElementErrorState(X509Extensions.QCStatements.getId(), CertificateElementState.INVALID_value); setCertificateStateHelper(CertificateState.ERROR_IN_EXTENSION); m_xQc.getCertificateDisplayObj().setCertificateExtensionCommentString( X509Extensions.QCStatements.getId(), "some statement is wrong."); return false; } return true; }
From source file:eu.europa.ec.markt.dss.validation.tsl.QcStatementCondition.java
License:Open Source License
@SuppressWarnings("deprecation") @Override//from w w w . ja v a 2 s. c o m public boolean check(CertificateAndContext cert) { byte[] qcStatement = cert.getCertificate().getExtensionValue(X509Extensions.QCStatements.getId()); if (qcStatement != null) { try { ASN1InputStream input = new ASN1InputStream(qcStatement); DEROctetString s = (DEROctetString) input.readObject(); byte[] content = s.getOctets(); input = new ASN1InputStream(content); DERSequence seq = (DERSequence) input.readObject(); /* Sequence of QCStatment */ for (int i = 0; i < seq.size(); i++) { QCStatement statement = QCStatement.getInstance(seq.getObjectAt(i)); if (statement.getStatementId().getId().equals(qcStatementId)) { return true; } } return false; } catch (IOException e) { throw new RuntimeException(e); } } return false; }
From source file:org.ejbca.core.model.ca.certextensions.standard.QcStatement.java
License:Open Source License
@Override public void init(final CertificateProfile certProf) { super.setOID(X509Extensions.QCStatements.getId()); super.setCriticalFlag(certProf.getQCStatementCritical()); }
From source file:org.ejbca.core.model.ca.certificateprofiles.CertificateProfileTest.java
License:Open Source License
public void test09CertificateExtensions() throws Exception { log.trace(">test09CertificateExtensions()"); CertificateProfile profile = new CertificateProfile(); // Check standard values for the certificate profile List l = profile.getUsedStandardCertificateExtensions(); assertEquals(l.size(), 5);/*from w w w. j a v a2 s. c om*/ assertTrue(l.contains(X509Extensions.KeyUsage.getId())); assertTrue(l.contains(X509Extensions.BasicConstraints.getId())); assertTrue(l.contains(X509Extensions.SubjectKeyIdentifier.getId())); assertTrue(l.contains(X509Extensions.AuthorityKeyIdentifier.getId())); assertTrue(l.contains(X509Extensions.SubjectAlternativeName.getId())); CertificateProfile eprofile = new EndUserCertificateProfile(); // Check standard values for the certificate profile l = eprofile.getUsedStandardCertificateExtensions(); assertEquals(l.size(), 6); assertTrue(l.contains(X509Extensions.KeyUsage.getId())); assertTrue(l.contains(X509Extensions.BasicConstraints.getId())); assertTrue(l.contains(X509Extensions.SubjectKeyIdentifier.getId())); assertTrue(l.contains(X509Extensions.AuthorityKeyIdentifier.getId())); assertTrue(l.contains(X509Extensions.SubjectAlternativeName.getId())); assertTrue(l.contains(X509Extensions.ExtendedKeyUsage.getId())); profile = new CertificateProfile(); profile.setUseAuthorityInformationAccess(true); profile.setUseCertificatePolicies(true); profile.setUseCRLDistributionPoint(true); profile.setUseFreshestCRL(true); profile.setUseMicrosoftTemplate(true); profile.setUseOcspNoCheck(true); profile.setUseQCStatement(true); profile.setUseExtendedKeyUsage(true); profile.setUseSubjectDirAttributes(true); l = profile.getUsedStandardCertificateExtensions(); assertEquals(l.size(), 14); assertTrue(l.contains(X509Extensions.KeyUsage.getId())); assertTrue(l.contains(X509Extensions.BasicConstraints.getId())); assertTrue(l.contains(X509Extensions.SubjectKeyIdentifier.getId())); assertTrue(l.contains(X509Extensions.AuthorityKeyIdentifier.getId())); assertTrue(l.contains(X509Extensions.SubjectAlternativeName.getId())); assertTrue(l.contains(X509Extensions.ExtendedKeyUsage.getId())); assertTrue(l.contains(X509Extensions.AuthorityInfoAccess.getId())); assertTrue(l.contains(X509Extensions.CertificatePolicies.getId())); assertTrue(l.contains(X509Extensions.CRLDistributionPoints.getId())); assertTrue(l.contains(X509Extensions.FreshestCRL.getId())); assertTrue(l.contains(OCSPObjectIdentifiers.id_pkix_ocsp_nocheck.getId())); assertTrue(l.contains(X509Extensions.QCStatements.getId())); assertTrue(l.contains(X509Extensions.SubjectDirectoryAttributes.getId())); assertTrue(l.contains(CertTools.OID_MSTEMPLATE)); }
From source file:org.ejbca.util.cert.QCStatementExtension.java
License:Open Source License
/** Returns true if the certificate contains a QC-statements extension. * //w ww .j a va 2 s . co m * @param cert Certificate containing the extension * @return true or false. * @throws IOException if there is a problem parsing the certificate */ public static boolean hasQcStatement(final Certificate cert) throws IOException { boolean ret = false; if (cert instanceof X509Certificate) { final X509Certificate x509cert = (X509Certificate) cert; final DERObject obj = getExtensionValue(x509cert, X509Extensions.QCStatements.getId()); if (obj != null) { ret = true; } } return ret; }
From source file:org.ejbca.util.cert.QCStatementExtension.java
License:Open Source License
/** Returns all the 'statementId' defined in the QCStatement extension (rfc3739). * /*www. j ava 2s . co m*/ * @param cert Certificate containing the extension * @return Collection of String with the oid, for example "1.1.1.2", or empty Collection if no identifier is found, never returns null. * @throws IOException if there is a problem parsing the certificate */ public static Collection<String> getQcStatementIds(final Certificate cert) throws IOException { final ArrayList<String> ret = new ArrayList<String>(); if (cert instanceof X509Certificate) { final X509Certificate x509cert = (X509Certificate) cert; final DERObject obj = getExtensionValue(x509cert, X509Extensions.QCStatements.getId()); if (obj == null) { return ret; } final ASN1Sequence seq = (ASN1Sequence) obj; for (int i = 0; i < seq.size(); i++) { final QCStatement qc = QCStatement.getInstance(seq.getObjectAt(i)); final DERObjectIdentifier oid = qc.getStatementId(); if (oid != null) { ret.add(oid.getId()); } } } return ret; }
From source file:org.ejbca.util.cert.QCStatementExtension.java
License:Open Source License
/** Returns the value limit ETSI QCStatement if present. * //from w ww . java2 s . co m * @param cert Certificate possibly containing the QCStatement extension * @return String with the value and currency (ex '50000 SEK')or null if the extension is not present * @throws IOException if there is a problem parsing the certificate */ public static String getQcStatementValueLimit(final Certificate cert) throws IOException { String ret = null; if (cert instanceof X509Certificate) { final X509Certificate x509cert = (X509Certificate) cert; final DERObject obj = getExtensionValue(x509cert, X509Extensions.QCStatements.getId()); if (obj == null) { return null; } final ASN1Sequence seq = (ASN1Sequence) obj; MonetaryValue mv = null; // Look through all the QCStatements and see if we have a stadard ETSI LimitValue for (int i = 0; i < seq.size(); i++) { final QCStatement qc = QCStatement.getInstance(seq.getObjectAt(i)); final DERObjectIdentifier oid = qc.getStatementId(); if ((oid != null) && oid.equals(ETSIQCObjectIdentifiers.id_etsi_qcs_LimiteValue)) { // We MAY have a MonetaryValue object here final ASN1Encodable enc = qc.getStatementInfo(); if (enc != null) { mv = MonetaryValue.getInstance(enc); // We can break the loop now, we got it! break; } } } if (mv != null) { final BigInteger amount = mv.getAmount(); final BigInteger exp = mv.getExponent(); final BigInteger ten = BigInteger.valueOf(10); // A possibly gotcha here if the monetary value is larger than what fits in a long... final long value = amount.longValue() * (ten.pow(exp.intValue())).longValue(); if (value < 0) { log.error("ETSI LimitValue amount is < 0."); } final String curr = mv.getCurrency().getAlphabetic(); if (curr == null) { log.error("ETSI LimitValue currency is null"); } if ((value >= 0) && (curr != null)) { ret = value + " " + curr; } } } return ret; }
From source file:org.ejbca.util.cert.QCStatementExtension.java
License:Open Source License
/** Returns the 'NameRegistrationAuthorities' defined in the QCStatement extension (rfc3739). * /*w w w. jav a 2 s . co m*/ * @param cert Certificate containing the extension * @return String with for example 'rfc822Name=foo2bar.se, rfc822Name=bar2foo.se' etc. Supports email, dns and uri name, or null of no RAs are found. * @throws IOException if there is a problem parsing the certificate */ public static String getQcStatementAuthorities(final Certificate cert) throws IOException { String ret = null; if (cert instanceof X509Certificate) { final X509Certificate x509cert = (X509Certificate) cert; final DERObject obj = getExtensionValue(x509cert, X509Extensions.QCStatements.getId()); if (obj == null) { return null; } final ASN1Sequence seq = (ASN1Sequence) obj; SemanticsInformation si = null; // Look through all the QCStatements and see if we have a standard RFC3739 pkixQCSyntax for (int i = 0; i < seq.size(); i++) { final QCStatement qc = QCStatement.getInstance(seq.getObjectAt(i)); final DERObjectIdentifier oid = qc.getStatementId(); if ((oid != null) && (oid.equals(RFC3739QCObjectIdentifiers.id_qcs_pkixQCSyntax_v1) || oid.equals(RFC3739QCObjectIdentifiers.id_qcs_pkixQCSyntax_v2))) { // We MAY have a SemanticsInformation object here final ASN1Encodable enc = qc.getStatementInfo(); if (enc != null) { si = SemanticsInformation.getInstance(enc); // We can break the loop now, we got it! break; } } } if (si != null) { final GeneralName[] gns = si.getNameRegistrationAuthorities(); if (gns == null) { return null; } final StringBuilder strBuf = new StringBuilder(); for (int i = 0; i < gns.length; i++) { final GeneralName gn = gns[i]; if (strBuf.length() != 0) { // Append comma so we get nice formatting if there are more than one authority strBuf.append(", "); } final String str = getGeneralNameString(gn.getTagNo(), gn.getName()); if (str != null) { strBuf.append(str); } } if (strBuf.length() > 0) { ret = strBuf.toString(); } } } return ret; }
From source file:test.unit.be.fedict.trust.TrustTestUtils.java
License:Open Source License
@SuppressWarnings("deprecation") public static X509Certificate generateCertificate(PublicKey subjectPublicKey, String subjectDn, DateTime notBefore, DateTime notAfter, X509Certificate issuerCertificate, PrivateKey issuerPrivateKey, boolean caFlag, int pathLength, String crlUri, String ocspUri, KeyUsage keyUsage, String signatureAlgorithm, boolean tsa, boolean includeSKID, boolean includeAKID, PublicKey akidPublicKey, String certificatePolicy, Boolean qcCompliance, boolean ocspResponder) throws IOException, InvalidKeyException, IllegalStateException, NoSuchAlgorithmException, SignatureException, CertificateException { X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator(); certificateGenerator.reset();//from w w w .j a v a2s .com certificateGenerator.setPublicKey(subjectPublicKey); certificateGenerator.setSignatureAlgorithm(signatureAlgorithm); certificateGenerator.setNotBefore(notBefore.toDate()); certificateGenerator.setNotAfter(notAfter.toDate()); X509Principal issuerDN; if (null != issuerCertificate) { issuerDN = new X509Principal(issuerCertificate.getSubjectX500Principal().toString()); } else { issuerDN = new X509Principal(subjectDn); } certificateGenerator.setIssuerDN(issuerDN); certificateGenerator.setSubjectDN(new X509Principal(subjectDn)); certificateGenerator.setSerialNumber(new BigInteger(128, new SecureRandom())); if (includeSKID) { certificateGenerator.addExtension(X509Extensions.SubjectKeyIdentifier, false, createSubjectKeyId(subjectPublicKey)); } if (includeAKID) { PublicKey issuerPublicKey; if (null != akidPublicKey) { issuerPublicKey = akidPublicKey; } else if (null != issuerCertificate) { issuerPublicKey = issuerCertificate.getPublicKey(); } else { issuerPublicKey = subjectPublicKey; } certificateGenerator.addExtension(X509Extensions.AuthorityKeyIdentifier, false, createAuthorityKeyId(issuerPublicKey)); } if (caFlag) { if (-1 == pathLength) { certificateGenerator.addExtension(X509Extensions.BasicConstraints, false, new BasicConstraints(true)); } else { certificateGenerator.addExtension(X509Extensions.BasicConstraints, false, new BasicConstraints(pathLength)); } } if (null != crlUri) { GeneralName gn = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(crlUri)); GeneralNames gns = new GeneralNames(gn); DistributionPointName dpn = new DistributionPointName(0, gns); DistributionPoint distp = new DistributionPoint(dpn, null, null); certificateGenerator.addExtension(X509Extensions.CRLDistributionPoints, false, new DERSequence(distp)); } if (null != ocspUri) { GeneralName ocspName = new GeneralName(GeneralName.uniformResourceIdentifier, ocspUri); AuthorityInformationAccess authorityInformationAccess = new AuthorityInformationAccess( X509ObjectIdentifiers.ocspAccessMethod, ocspName); certificateGenerator.addExtension(X509Extensions.AuthorityInfoAccess.getId(), false, authorityInformationAccess); } if (null != keyUsage) { certificateGenerator.addExtension(X509Extensions.KeyUsage, true, keyUsage); } if (null != qcCompliance) { ASN1EncodableVector vec = new ASN1EncodableVector(); if (qcCompliance) { vec.add(new QCStatement(QCStatement.id_etsi_qcs_QcCompliance)); } else { vec.add(new QCStatement(QCStatement.id_etsi_qcs_RetentionPeriod)); } certificateGenerator.addExtension(X509Extensions.QCStatements, true, new DERSequence(vec)); } if (tsa) { certificateGenerator.addExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_timeStamping)); } if (ocspResponder) { certificateGenerator.addExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nocheck, false, new DERNull()); certificateGenerator.addExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_OCSPSigning)); } X509Certificate certificate; certificate = certificateGenerator.generate(issuerPrivateKey); /* * Next certificate factory trick is needed to make sure that the * certificate delivered to the caller is provided by the default * security provider instead of BouncyCastle. If we don't do this trick * we might run into trouble when trying to use the CertPath validator. */ CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); certificate = (X509Certificate) certificateFactory .generateCertificate(new ByteArrayInputStream(certificate.getEncoded())); return certificate; }