List of usage examples for org.bouncycastle.jce X509KeyUsage decipherOnly
int decipherOnly
To view the source code for org.bouncycastle.jce X509KeyUsage decipherOnly.
Click Source Link
From source file:org.cesecore.util.CertTools.java
License:Open Source License
/** * Converts Sun Key usage bits to Bouncy castle key usage kits * // w ww .j av a 2 s. c om * @param sku key usage bit fields according to java.security.cert.X509Certificate#getKeyUsage, must be a boolean aray of size 9. * @return key usage int according to org.bouncycastle.jce.X509KeyUsage#X509KeyUsage, or -1 if input is null. * @see java.security.cert.X509Certificate#getKeyUsage * @see org.bouncycastle.jce.X509KeyUsage#X509KeyUsage */ public static int sunKeyUsageToBC(boolean[] sku) { if (sku == null) { return -1; } int bcku = 0; if (sku[0]) { bcku = bcku | X509KeyUsage.digitalSignature; } if (sku[1]) { bcku = bcku | X509KeyUsage.nonRepudiation; } if (sku[2]) { bcku = bcku | X509KeyUsage.keyEncipherment; } if (sku[3]) { bcku = bcku | X509KeyUsage.dataEncipherment; } if (sku[4]) { bcku = bcku | X509KeyUsage.keyAgreement; } if (sku[5]) { bcku = bcku | X509KeyUsage.keyCertSign; } if (sku[6]) { bcku = bcku | X509KeyUsage.cRLSign; } if (sku[7]) { bcku = bcku | X509KeyUsage.encipherOnly; } if (sku[8]) { bcku = bcku | X509KeyUsage.decipherOnly; } return bcku; }
From source file:org.ejbca.core.protocol.cmp.CrmfRAPbeMultipleKeyIdRequestTest.java
License:Open Source License
@Test public void test07ExtensionOverride() throws Exception { byte[] nonce = CmpMessageHelper.createSenderNonce(); byte[] transid = CmpMessageHelper.createSenderNonce(); // Create some crazy extensions to see that we get them when using // extension override. // We should not get our values when not using extension override ExtensionsGenerator extgen = new ExtensionsGenerator(); // SubjectAltName GeneralNames san = CertTools.getGeneralNamesFromAltName("dnsName=foo.bar.com"); extgen.addExtension(Extension.subjectAlternativeName, false, san); // KeyUsage//w w w .j a v a 2s .c o m int bcku = 0; bcku = X509KeyUsage.decipherOnly; X509KeyUsage ku = new X509KeyUsage(bcku); extgen.addExtension(Extension.keyUsage, false, ku); // Extended Key Usage List<KeyPurposeId> usage = new ArrayList<KeyPurposeId>(); usage.add(KeyPurposeId.id_kp_codeSigning); ExtendedKeyUsage eku = ExtendedKeyUsage.getInstance(usage); extgen.addExtension(Extension.extendedKeyUsage, false, eku); // OcspNoCheck extgen.addExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nocheck, false, DERNull.INSTANCE); // Netscape cert type extgen.addExtension(new ASN1ObjectIdentifier("2.16.840.1.113730.1.1"), false, new NetscapeCertType(NetscapeCertType.objectSigningCA)); // My completely own extgen.addExtension(new ASN1ObjectIdentifier("1.1.1.1.1"), false, new DERIA5String("PrimeKey")); // Make the complete extension package Extensions exts = extgen.generate(); // First test without extension override PKIMessage one = genCertReq(this.issuerDN2, userDN2, this.keys, this.cacert2, nonce, transid, true, exts, null, null, null, null, null); PKIMessage req = protectPKIMessage(one, false, PBEPASSWORD, "KeyId2", 567); CertReqMessages ir = (CertReqMessages) req.getBody().getContent(); int reqId = ir.toCertReqMsgArray()[0].getCertReq().getCertReqId().getValue().intValue(); assertNotNull(req); ByteArrayOutputStream bao = new ByteArrayOutputStream(); DEROutputStream out = new DEROutputStream(bao); out.writeObject(req); byte[] ba = bao.toByteArray(); // Send request and receive response byte[] resp = sendCmpTcp(ba, 5); checkCmpResponseGeneral(resp, this.issuerDN2, userDN2, this.cacert2, nonce, transid, false, PBEPASSWORD, PKCSObjectIdentifiers.sha1WithRSAEncryption.getId()); X509Certificate cert = checkCmpCertRepMessage(userDN2, this.cacert2, resp, reqId); String altNames = CertTools.getSubjectAlternativeName(cert); assertTrue(altNames.indexOf("dNSName=foo.bar.com") != -1); // Check key usage that it is nonRepudiation for KeyId2 boolean[] kubits = cert.getKeyUsage(); assertFalse(kubits[0]); assertTrue(kubits[1]); assertFalse(kubits[2]); assertFalse(kubits[3]); assertFalse(kubits[4]); assertFalse(kubits[5]); assertFalse(kubits[6]); assertFalse(kubits[7]); assertFalse(kubits[8]); // Our own ext should not be here assertNull(cert.getExtensionValue("1.1.1.1.1")); assertNull(cert.getExtensionValue("2.16.840.1.113730.1.1")); assertNull(cert.getExtensionValue(OCSPObjectIdentifiers.id_pkix_ocsp_nocheck.getId())); // Skip confirmation message, we have tested that several times already // // Do the same with keyId4, that has full extension override one = genCertReq(this.issuerDN2, userDN2, this.keys, this.cacert2, nonce, transid, true, exts, null, null, null, null, null); req = protectPKIMessage(one, false, PBEPASSWORD, "KeyId4", 567); ir = (CertReqMessages) req.getBody().getContent(); reqId = ir.toCertReqMsgArray()[0].getCertReq().getCertReqId().getValue().intValue(); assertNotNull(req); bao = new ByteArrayOutputStream(); out = new DEROutputStream(bao); out.writeObject(req); ba = bao.toByteArray(); // Send request and receive response resp = sendCmpTcp(ba, 5); checkCmpResponseGeneral(resp, this.issuerDN2, userDN2, this.cacert2, nonce, transid, false, PBEPASSWORD, PKCSObjectIdentifiers.sha1WithRSAEncryption.getId()); cert = checkCmpCertRepMessage(userDN2, this.cacert2, resp, reqId); altNames = CertTools.getSubjectAlternativeName(cert); assertTrue(altNames.indexOf("dNSName=foo.bar.com") != -1); // Check key usage that it is decipherOnly for KeyId4 kubits = cert.getKeyUsage(); assertFalse(kubits[0]); assertFalse(kubits[1]); assertFalse(kubits[2]); assertFalse(kubits[3]); assertFalse(kubits[4]); assertFalse(kubits[5]); assertFalse(kubits[6]); assertFalse(kubits[7]); assertTrue(kubits[8]); // Our own ext should not be here assertNotNull(cert.getExtensionValue("1.1.1.1.1")); assertNotNull(cert.getExtensionValue("2.16.840.1.113730.1.1")); assertNotNull(cert.getExtensionValue(OCSPObjectIdentifiers.id_pkix_ocsp_nocheck.getId())); List<String> l = cert.getExtendedKeyUsage(); assertEquals(1, l.size()); String s = l.get(0); assertEquals(KeyPurposeId.id_kp_codeSigning.getId(), s); // Skip confirmation message, we have tested that several times already }