List of usage examples for org.bouncycastle.asn1.x509 X509Extensions SubjectAlternativeName
ASN1ObjectIdentifier SubjectAlternativeName
To view the source code for org.bouncycastle.asn1.x509 X509Extensions SubjectAlternativeName.
Click Source Link
From source file:org.apache.kerby.pkix.EndEntityGenerator.java
License:Apache License
/** * Generate certificate.//ww w .j ava2 s.c o m * * @param issuerCert * @param issuerPrivateKey * @param publicKey * @param dn * @param validityDays * @param friendlyName * @return The certificate. * @throws InvalidKeyException * @throws SecurityException * @throws SignatureException * @throws NoSuchAlgorithmException * @throws DataLengthException * @throws CertificateException */ public static X509Certificate generate(X509Certificate issuerCert, PrivateKey issuerPrivateKey, PublicKey publicKey, String dn, int validityDays, String friendlyName) throws InvalidKeyException, SecurityException, SignatureException, NoSuchAlgorithmException, DataLengthException, CertificateException { X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); // Set certificate attributes. certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis())); certGen.setIssuerDN(PrincipalUtil.getSubjectX509Principal(issuerCert)); certGen.setSubjectDN(new X509Principal(dn)); certGen.setNotBefore(new Date()); Calendar expiry = Calendar.getInstance(); expiry.add(Calendar.DAY_OF_YEAR, validityDays); certGen.setNotAfter(expiry.getTime()); certGen.setPublicKey(publicKey); certGen.setSignatureAlgorithm("SHA1WithRSAEncryption"); certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifier(getDigest(SubjectPublicKeyInfo.getInstance(publicKey.getEncoded())))); // MAY set BasicConstraints=false or not at all. certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false)); certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(issuerCert)); certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment)); ASN1EncodableVector keyPurposeVector = new ASN1EncodableVector(); keyPurposeVector.add(KeyPurposeId.id_kp_smartcardlogon); //keyPurposeVector.add( KeyPurposeId.id_kp_serverAuth ); DERSequence keyPurposeOids = new DERSequence(keyPurposeVector); // If critical, will throw unsupported EKU. certGen.addExtension(X509Extensions.ExtendedKeyUsage, false, keyPurposeOids); ASN1EncodableVector pkinitSanVector = new ASN1EncodableVector(); pkinitSanVector.add(ID_PKINIT_SAN); pkinitSanVector.add(new DERTaggedObject(0, new DERSequence())); DERSequence pkinitSan = new DERSequence(pkinitSanVector); String dnsName = "localhost"; GeneralName name1 = new GeneralName(GeneralName.otherName, pkinitSan); GeneralName name2 = new GeneralName(GeneralName.dNSName, dnsName); GeneralNamesBuilder genNamesBuilder = new GeneralNamesBuilder(); genNamesBuilder.addName(name1); genNamesBuilder.addName(name2); GeneralNames sanGeneralNames = genNamesBuilder.build(); certGen.addExtension(X509Extensions.SubjectAlternativeName, true, sanGeneralNames); /* * The KDC MAY require the presence of an Extended Key Usage (EKU) KeyPurposeId * [RFC3280] id-pkinit-KPClientAuth in the extensions field of the client's * X.509 certificate. */ /* * The digitalSignature key usage bit [RFC3280] MUST be asserted when the * intended purpose of the client's X.509 certificate is restricted with * the id-pkinit-KPClientAuth EKU. */ /* * KDCs implementing this requirement SHOULD also accept the EKU KeyPurposeId * id-ms-kp-sc-logon (1.3.6.1.4.1.311.20.2.2) as meeting the requirement, as * there are a large number of X.509 client certificates deployed for use * with PKINIT that have this EKU. */ // KDC /* * In addition, unless the client can otherwise verify that the public key * used to verify the KDC's signature is bound to the KDC of the target realm, * the KDC's X.509 certificate MUST contain a Subject Alternative Name extension * [RFC3280] carrying an AnotherName whose type-id is id-pkinit-san (as defined * in Section 3.2.2) and whose value is a KRB5PrincipalName that matches the * name of the TGS of the target realm (as defined in Section 7.3 of [RFC4120]). */ /* * Unless the client knows by some other means that the KDC certificate is * intended for a Kerberos KDC, the client MUST require that the KDC certificate * contains the EKU KeyPurposeId [RFC3280] id-pkinit-KPKdc. */ /* * The digitalSignature key usage bit [RFC3280] MUST be asserted when the * intended purpose of the KDC's X.509 certificate is restricted with the * id-pkinit-KPKdc EKU. */ /* * If the KDC certificate contains the Kerberos TGS name encoded as an id-pkinit-san * SAN, this certificate is certified by the issuing CA as a KDC certificate, * therefore the id-pkinit-KPKdc EKU is not required. */ /* * KDC certificates issued by Windows 2000 Enterprise CAs contain a dNSName * SAN with the DNS name of the host running the KDC, and the id-kp-serverAuth * EKU [RFC3280]. */ /* * KDC certificates issued by Windows 2003 Enterprise CAs contain a dNSName * SAN with the DNS name of the host running the KDC, the id-kp-serverAuth * EKU, and the id-ms-kp-sc-logon EKU. */ /* * RFC: KDC certificates with id-pkinit-san SAN as specified in this RFC. * * MS: dNSName SAN containing the domain name of the KDC * id-pkinit-KPKdc EKU * id-kp-serverAuth EKU. */ /* * Client certificates accepted by Windows 2000 and Windows 2003 Server KDCs * must contain an id-ms-san-sc-logon-upn (1.3.6.1.4.1.311.20.2.3) SAN and * the id-ms-kp-sc-logon EKU. The id-ms-san-sc-logon-upn SAN contains a * UTF8-encoded string whose value is that of the Directory Service attribute * UserPrincipalName of the client account object, and the purpose of including * the id-ms-san-sc-logon-upn SAN in the client certificate is to validate * the client mapping (in other words, the client's public key is bound to * the account that has this UserPrincipalName value). */ X509Certificate cert = certGen.generate(issuerPrivateKey); PKCS12BagAttributeCarrier bagAttr = (PKCS12BagAttributeCarrier) cert; bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_friendlyName, new DERBMPString(friendlyName)); bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId, new SubjectKeyIdentifier(getDigest(SubjectPublicKeyInfo.getInstance(publicKey.getEncoded())))); return cert; }
From source file:org.candlepin.pki.impl.BouncyCastlePKIUtility.java
License:Open Source License
@Override public X509Certificate createX509Certificate(String dn, Set<X509ExtensionWrapper> extensions, Set<X509ByteExtensionWrapper> byteExtensions, Date startDate, Date endDate, KeyPair clientKeyPair, BigInteger serialNumber, String alternateName) throws GeneralSecurityException, IOException { X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); X509Certificate caCert = reader.getCACert(); // set cert fields certGen.setSerialNumber(serialNumber); certGen.setIssuerDN(caCert.getSubjectX500Principal()); certGen.setNotBefore(startDate);/*from ww w . j av a2s. com*/ certGen.setNotAfter(endDate); X500Principal subjectPrincipal = new X500Principal(dn); certGen.setSubjectDN(subjectPrincipal); certGen.setPublicKey(clientKeyPair.getPublic()); certGen.setSignatureAlgorithm(SIGNATURE_ALGO); // set key usage - required for proper x509 function KeyUsage keyUsage = new KeyUsage( KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment); // add SSL extensions - required for proper x509 function NetscapeCertType certType = new NetscapeCertType(NetscapeCertType.sslClient | NetscapeCertType.smime); certGen.addExtension(MiscObjectIdentifiers.netscapeCertType.toString(), false, certType); certGen.addExtension(X509Extensions.KeyUsage.toString(), false, keyUsage); certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(caCert)); certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, subjectKeyWriter.getSubjectKeyIdentifier(clientKeyPair, extensions)); certGen.addExtension(X509Extensions.ExtendedKeyUsage, false, new ExtendedKeyUsage(KeyPurposeId.id_kp_clientAuth)); // Add an alternate name if provided if (alternateName != null) { GeneralName name = new GeneralName(GeneralName.uniformResourceIdentifier, "CN=" + alternateName); certGen.addExtension(X509Extensions.SubjectAlternativeName, false, new GeneralNames(name)); } if (extensions != null) { for (X509ExtensionWrapper wrapper : extensions) { // Bouncycastle hates null values. So, set them to blank // if they are null String value = wrapper.getValue() == null ? "" : wrapper.getValue(); certGen.addExtension(wrapper.getOid(), wrapper.isCritical(), new DERUTF8String(value)); } } if (byteExtensions != null) { for (X509ByteExtensionWrapper wrapper : byteExtensions) { // Bouncycastle hates null values. So, set them to blank // if they are null byte[] value = wrapper.getValue() == null ? new byte[0] : wrapper.getValue(); certGen.addExtension(wrapper.getOid(), wrapper.isCritical(), new DEROctetString(value)); } } // Generate the certificate return certGen.generate(reader.getCaKey()); }
From source file:org.ccnx.ccn.impl.security.crypto.util.CryptoUtil.java
License:Open Source License
/** * Helper method to pull SubjectAlternativeNames from a certificate. BouncyCastle has * one of these, but it isn't included on all platforms. We get one by default from X509Certificate * but it returns us a collection of ? and we can't ever know what the ? is because we might * get a different impl class on different platforms. So we have to roll our own. * /*from w ww. j a v a2 s. c o m*/ * We filter the general names down to ones we can handle. * @param certificate * @return * @throws IOException * @throws CertificateEncodingException */ public static ArrayList<Tuple<Integer, String>> getSubjectAlternativeNames(X509Certificate certificate) throws IOException, CertificateEncodingException { byte[] encodedExtension = certificate.getExtensionValue(X509Extensions.SubjectAlternativeName.getId()); ArrayList<Tuple<Integer, String>> list = new ArrayList<Tuple<Integer, String>>(); if (null == encodedExtension) { return list; } // content of extension is wrapped in a DEROctetString DEROctetString content = (DEROctetString) CryptoUtil.decode(encodedExtension); byte[] encapsulatedOctetString = content.getOctets(); ASN1InputStream aIn = new ASN1InputStream(encapsulatedOctetString); ASN1Encodable decodedObject = (ASN1Encodable) aIn.readObject(); ASN1Sequence sequence = (ASN1Sequence) decodedObject.getDERObject(); Integer tag; GeneralName generalName; Enumeration<?> it = sequence.getObjects(); while (it.hasMoreElements()) { generalName = GeneralName.getInstance(it.nextElement()); tag = generalName.getTagNo(); switch (tag) { case GeneralName.dNSName: case GeneralName.rfc822Name: case GeneralName.uniformResourceIdentifier: list.add(new Tuple<Integer, String>(tag, ((DERString) generalName.getName()).getString())); default: // ignore other types } } return list; }
From source file:org.ccnx.ccn.impl.security.crypto.util.MinimalCertificateGenerator.java
License:Open Source License
/** * Adds an subject alternative name extension to the certificate. *//*from w w w .jav a2s. c om*/ protected void addSubjectAltNamesExtension() { if (_subjectAltNames.size() == 0) return; GeneralNames genNames = new GeneralNames(new DERSequence(_subjectAltNames)); _generator.addExtension(X509Extensions.SubjectAlternativeName, false, genNames); }
From source file:org.ccnx.ccn.impl.security.crypto.util.MinimalCertificateGenerator.java
License:Open Source License
/** * Open up the ability to add additional extensions that aren't * EKU or SubjectAltName (which we manage). *//*from www . j a v a 2 s . co m*/ public void addExtension(String oid, boolean critical, byte[] value) { if (null == oid) throw new IllegalArgumentException("OID cannot be null!"); DERObjectIdentifier derOID = new DERObjectIdentifier(oid); if ((derOID.equals(X509Extensions.ExtendedKeyUsage)) || (derOID.equals(X509Extensions.SubjectAlternativeName)) || (derOID.equals(X509Extensions.AuthorityKeyIdentifier))) { throw new IllegalArgumentException( "Cannot use addExtension to set ExtendedKeyUsage or SubjectAlternativeName or AuthorityKeyIdentifier!"); } _generator.addExtension(derOID, critical, value); }
From source file:org.deviceconnect.android.ssl.AbstractKeyStoreManager.java
License:MIT License
private X509Certificate generateX509V3Certificate(final KeyPair keyPair, final X500Principal subject, final X500Principal issuer, final Date notBefore, final Date notAfter, final BigInteger serialNumber, final GeneralNames generalNames, final boolean isCA) throws GeneralSecurityException { Security.addProvider(new BouncyCastleProvider()); X509V3CertificateGenerator generator = new X509V3CertificateGenerator(); generator.setSerialNumber(serialNumber); generator.setIssuerDN(issuer);//from www . j ava 2s . co m generator.setSubjectDN(subject); generator.setNotBefore(notBefore); generator.setNotAfter(notAfter); generator.setPublicKey(keyPair.getPublic()); generator.setSignatureAlgorithm("SHA256WithRSAEncryption"); generator.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(isCA)); generator.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(160)); generator.addExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_serverAuth)); if (generalNames != null) { generator.addExtension(X509Extensions.SubjectAlternativeName, false, generalNames); } return generator.generateX509Certificate(keyPair.getPrivate(), "BC"); }
From source file:org.deviceconnect.android.ssl.EndPointKeyStoreManager.java
License:MIT License
/** * ??????./*from www . ja v a 2 s. c om*/ * * @param keyPair * @param commonName ? * @param generalNames SANs * @return ???? * @throws GeneralSecurityException ????? */ private static PKCS10CertificationRequest createCSR(final KeyPair keyPair, final String commonName, final GeneralNames generalNames) throws GeneralSecurityException { final String signatureAlgorithm = "SHA256WithRSAEncryption"; final X500Principal principal = new X500Principal( "CN=" + commonName + ", O=Device Connect Project, L=N/A, ST=N/A, C=JP"); DERSequence sanExtension = new DERSequence( new ASN1Encodable[] { X509Extensions.SubjectAlternativeName, new DEROctetString(generalNames) }); DERSet extensions = new DERSet(new DERSequence(sanExtension)); DERSequence extensionRequest = new DERSequence( new ASN1Encodable[] { PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extensions }); DERSet attributes = new DERSet(extensionRequest); return new PKCS10CertificationRequest(signatureAlgorithm, principal, keyPair.getPublic(), attributes, keyPair.getPrivate()); }
From source file:org.ejbca.core.ejb.ca.sign.SignSessionTest.java
License:Open Source License
public void test29TestExtensionOverride() throws Exception { final String altnames = "dNSName=foo1.bar.com,dNSName=foo2.bar.com,dNSName=foo3.bar.com,dNSName=foo4.bar.com,dNSName=foo5.bar.com,dNSName=foo6.bar.com,dNSName=foo7.bar.com,dNSName=foo8.bar.com,dNSName=foo9.bar.com,dNSName=foo10.bar.com,dNSName=foo11.bar.com,dNSName=foo12.bar.com,dNSName=foo13.bar.com,dNSName=foo14.bar.com,dNSName=foo15.bar.com,dNSName=foo16.bar.com,dNSName=foo17.bar.com,dNSName=foo18.bar.com,dNSName=foo19.bar.com,dNSName=foo20.bar.com,dNSName=foo21.bar.com"; // Create a good certificate profile (good enough), using QC statement certificateProfileSession.removeCertificateProfile(admin, "TESTEXTENSIONOVERRIDE"); EndUserCertificateProfile certprof = new EndUserCertificateProfile(); // Default profile does not allow Extension override certprof.setValidity(298);/*from w ww . ja va 2s. c o m*/ certificateProfileSession.addCertificateProfile(admin, "TESTEXTENSIONOVERRIDE", certprof); int cprofile = certificateProfileSession.getCertificateProfileId(admin, "TESTEXTENSIONOVERRIDE"); // Create a good end entity profile (good enough), allowing multiple UPN // names endEntityProfileSession.removeEndEntityProfile(admin, "TESTEXTENSIONOVERRIDE"); EndEntityProfile profile = new EndEntityProfile(); profile.addField(DnComponents.COUNTRY); profile.addField(DnComponents.COMMONNAME); profile.setValue(EndEntityProfile.AVAILCAS, 0, Integer.toString(SecConst.ALLCAS)); profile.setValue(EndEntityProfile.AVAILCERTPROFILES, 0, Integer.toString(cprofile)); endEntityProfileSession.addEndEntityProfile(admin, "TESTEXTENSIONOVERRIDE", profile); int eeprofile = endEntityProfileSession.getEndEntityProfileId(admin, "TESTEXTENSIONOVERRIDE"); UserDataVO user = new UserDataVO("foo", "C=SE,CN=extoverride", rsacaid, null, "foo@anatom.nu", SecConst.USER_ENDUSER, eeprofile, cprofile, SecConst.TOKEN_SOFT_PEM, 0, null); user.setPassword("foo123"); user.setStatus(UserDataConstants.STATUS_NEW); // Change a user that we know... userAdminSession.changeUser(admin, user, false); // Create a P10 with extensions, in this case altNames with a lot of DNS // names ASN1EncodableVector extensionattr = new ASN1EncodableVector(); extensionattr.add(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest); // AltNames // String[] namearray = altnames.split(","); GeneralNames san = CertTools.getGeneralNamesFromAltName(altnames); ByteArrayOutputStream extOut = new ByteArrayOutputStream(); DEROutputStream derOut = new DEROutputStream(extOut); try { derOut.writeObject(san); } catch (IOException e) { throw new IllegalArgumentException("error encoding value: " + e); } // Extension request attribute is a set of X509Extensions // ASN1EncodableVector x509extensions = new ASN1EncodableVector(); // An X509Extensions is a sequence of Extension which is a sequence of // {oid, X509Extension} // ASN1EncodableVector extvalue = new ASN1EncodableVector(); Vector<DERObjectIdentifier> oidvec = new Vector<DERObjectIdentifier>(); oidvec.add(X509Extensions.SubjectAlternativeName); Vector<X509Extension> valuevec = new Vector<X509Extension>(); valuevec.add(new X509Extension(false, new DEROctetString(extOut.toByteArray()))); X509Extensions exts = new X509Extensions(oidvec, valuevec); extensionattr.add(new DERSet(exts)); // Complete the Attribute section of the request, the set (Attributes) // contains one sequence (Attribute) ASN1EncodableVector v = new ASN1EncodableVector(); v.add(new DERSequence(extensionattr)); DERSet attributes = new DERSet(v); // Create PKCS#10 certificate request PKCS10CertificationRequest req = new PKCS10CertificationRequest("SHA1WithRSA", new X509Name("C=SE,CN=extoverride"), rsakeys.getPublic(), attributes, rsakeys.getPrivate()); ByteArrayOutputStream bOut = new ByteArrayOutputStream(); DEROutputStream dOut = new DEROutputStream(bOut); dOut.writeObject(req); dOut.close(); byte[] p10bytes = bOut.toByteArray(); // FileOutputStream fos = new FileOutputStream("/tmp/foo.der"); // fos.write(p10bytes); // fos.close(); PKCS10RequestMessage p10 = new PKCS10RequestMessage(p10bytes); p10.setUsername("foo"); p10.setPassword("foo123"); // See if the request message works... X509Extensions p10exts = p10.getRequestExtensions(); assertNotNull(p10exts); IResponseMessage resp = signSession.createCertificate(admin, p10, org.ejbca.core.protocol.X509ResponseMessage.class, null); X509Certificate cert = (X509Certificate) CertTools.getCertfromByteArray(resp.getResponseMessage()); assertNotNull("Failed to create certificate", cert); assertEquals("CN=extoverride,C=SE", cert.getSubjectDN().getName()); // check altNames, should be none Collection c = cert.getSubjectAlternativeNames(); assertNull(c); // Change so that we allow override of validity time CertificateProfile prof = certificateProfileSession.getCertificateProfile(admin, cprofile); prof.setAllowExtensionOverride(true); certificateProfileSession.changeCertificateProfile(admin, "TESTEXTENSIONOVERRIDE", prof); userAdminSession.changeUser(admin, user, false); resp = signSession.createCertificate(admin, p10, org.ejbca.core.protocol.X509ResponseMessage.class, null); cert = (X509Certificate) CertTools.getCertfromByteArray(resp.getResponseMessage()); assertNotNull("Failed to create certificate", cert); assertEquals("CN=extoverride,C=SE", cert.getSubjectDN().getName()); // check altNames, should be one altName c = cert.getSubjectAlternativeNames(); assertNotNull(c); assertEquals(21, c.size()); String retAltNames = CertTools.getSubjectAlternativeName(cert); List<String> originalNames = Arrays.asList(altnames.split(",")); List<String> returnNames = Arrays.asList(retAltNames.split(", ")); assertTrue(originalNames.containsAll(returnNames)); }
From source file:org.ejbca.core.model.ca.certextensions.standard.SubjectAltNames.java
License:Open Source License
@Override public void init(final CertificateProfile certProf) { super.setOID(X509Extensions.SubjectAlternativeName.getId()); super.setCriticalFlag(certProf.getSubjectAlternativeNameCritical()); }
From source file:org.ejbca.core.model.ca.certificateprofiles.CertificateProfileTest.java
License:Open Source License
public void test09CertificateExtensions() throws Exception { log.trace(">test09CertificateExtensions()"); CertificateProfile profile = new CertificateProfile(); // Check standard values for the certificate profile List l = profile.getUsedStandardCertificateExtensions(); assertEquals(l.size(), 5);//from ww w .j ava 2 s. c o m assertTrue(l.contains(X509Extensions.KeyUsage.getId())); assertTrue(l.contains(X509Extensions.BasicConstraints.getId())); assertTrue(l.contains(X509Extensions.SubjectKeyIdentifier.getId())); assertTrue(l.contains(X509Extensions.AuthorityKeyIdentifier.getId())); assertTrue(l.contains(X509Extensions.SubjectAlternativeName.getId())); CertificateProfile eprofile = new EndUserCertificateProfile(); // Check standard values for the certificate profile l = eprofile.getUsedStandardCertificateExtensions(); assertEquals(l.size(), 6); assertTrue(l.contains(X509Extensions.KeyUsage.getId())); assertTrue(l.contains(X509Extensions.BasicConstraints.getId())); assertTrue(l.contains(X509Extensions.SubjectKeyIdentifier.getId())); assertTrue(l.contains(X509Extensions.AuthorityKeyIdentifier.getId())); assertTrue(l.contains(X509Extensions.SubjectAlternativeName.getId())); assertTrue(l.contains(X509Extensions.ExtendedKeyUsage.getId())); profile = new CertificateProfile(); profile.setUseAuthorityInformationAccess(true); profile.setUseCertificatePolicies(true); profile.setUseCRLDistributionPoint(true); profile.setUseFreshestCRL(true); profile.setUseMicrosoftTemplate(true); profile.setUseOcspNoCheck(true); profile.setUseQCStatement(true); profile.setUseExtendedKeyUsage(true); profile.setUseSubjectDirAttributes(true); l = profile.getUsedStandardCertificateExtensions(); assertEquals(l.size(), 14); assertTrue(l.contains(X509Extensions.KeyUsage.getId())); assertTrue(l.contains(X509Extensions.BasicConstraints.getId())); assertTrue(l.contains(X509Extensions.SubjectKeyIdentifier.getId())); assertTrue(l.contains(X509Extensions.AuthorityKeyIdentifier.getId())); assertTrue(l.contains(X509Extensions.SubjectAlternativeName.getId())); assertTrue(l.contains(X509Extensions.ExtendedKeyUsage.getId())); assertTrue(l.contains(X509Extensions.AuthorityInfoAccess.getId())); assertTrue(l.contains(X509Extensions.CertificatePolicies.getId())); assertTrue(l.contains(X509Extensions.CRLDistributionPoints.getId())); assertTrue(l.contains(X509Extensions.FreshestCRL.getId())); assertTrue(l.contains(OCSPObjectIdentifiers.id_pkix_ocsp_nocheck.getId())); assertTrue(l.contains(X509Extensions.QCStatements.getId())); assertTrue(l.contains(X509Extensions.SubjectDirectoryAttributes.getId())); assertTrue(l.contains(CertTools.OID_MSTEMPLATE)); }