List of usage examples for org.bouncycastle.x509.extension X509ExtensionUtil fromExtensionValue
public static ASN1Primitive fromExtensionValue(byte[] encodedValue) throws IOException
From source file:be.fedict.trust.linker.PublicKeyTrustLinker.java
License:Open Source License
private boolean isCa(X509Certificate certificate) { byte[] basicConstraintsValue = certificate.getExtensionValue(Extension.basicConstraints.getId()); if (null == basicConstraintsValue) { return false; }/*from w w w. j av a 2 s . c om*/ ASN1Encodable basicConstraintsDecoded; try { basicConstraintsDecoded = X509ExtensionUtil.fromExtensionValue(basicConstraintsValue); } catch (IOException e) { LOG.error("IO error", e); return false; } if (false == basicConstraintsDecoded instanceof ASN1Sequence) { LOG.debug("basic constraints extension is not an ASN1 sequence"); return false; } ASN1Sequence basicConstraintsSequence = (ASN1Sequence) basicConstraintsDecoded; BasicConstraints basicConstraints = BasicConstraints.getInstance(basicConstraintsSequence); return basicConstraints.isCA(); }
From source file:be.fedict.trust.PublicKeyTrustLinker.java
License:Open Source License
private boolean isCa(X509Certificate certificate) { byte[] basicConstraintsValue = certificate.getExtensionValue(X509Extensions.BasicConstraints.getId()); if (null == basicConstraintsValue) { return false; }/*from ww w .j a v a 2 s . c om*/ ASN1Encodable basicConstraintsDecoded; try { basicConstraintsDecoded = X509ExtensionUtil.fromExtensionValue(basicConstraintsValue); } catch (IOException e) { LOG.error("IO error", e); return false; } if (false == basicConstraintsDecoded instanceof ASN1Sequence) { LOG.debug("basic constraints extension is not an ASN1 sequence"); return false; } ASN1Sequence basicConstraintsSequence = (ASN1Sequence) basicConstraintsDecoded; BasicConstraints basicConstraints = BasicConstraints.getInstance(basicConstraintsSequence); return basicConstraints.isCA(); }
From source file:be.fedict.trust.service.bean.HarvesterMDB.java
License:Open Source License
/** * Returns if the specified CRL is indirect. * // w w w . j a v a 2 s .co m * @param crl * the CRL * @return true or false * @throws CRLException * something went wrong reading the * {@link org.bouncycastle.asn1.x509.IssuingDistributionPoint}. */ private boolean isIndirectCRL(X509CRL crl) throws CRLException { byte[] idp = crl.getExtensionValue(X509Extensions.IssuingDistributionPoint.getId()); boolean isIndirect = false; try { if (idp != null) { isIndirect = IssuingDistributionPoint.getInstance(X509ExtensionUtil.fromExtensionValue(idp)) .isIndirectCRL(); } } catch (Exception e) { throw new CRLException("Exception reading IssuingDistributionPoint", e); } return isIndirect; }
From source file:chapter7.X509CRLExample.java
/** * * @param args/* w ww . ja v a 2 s .com*/ * @throws java.lang.Exception */ public static void main(String[] args) throws Exception { //1.- Create CA keys and certificate KeyPair caPair = Utils.generateRSAKeyPair(); X509Certificate caCert = Utils.generateRootCert(caPair); BigInteger revokedSerialNumber = BigInteger.valueOf(2); //2.- Create a CRL revoking certificate number 2 final X509CRL crl = createCRL(caCert, caPair.getPrivate(), revokedSerialNumber); //3.- Verify the CRL crl.verify(caCert.getPublicKey(), CryptoDefs.Provider.BC.getName()); //4.- Check if the CRL revokes certificate number 2 final X509CRLEntry entry = crl.getRevokedCertificate(revokedSerialNumber); System.out.println("Revocation details:"); System.out.println(" Certificate number: " + entry.getSerialNumber()); System.out.println(" Issuer : " + crl.getIssuerX500Principal()); if (entry.hasExtensions() == true) { byte[] ext = entry.getExtensionValue(X509Extensions.ReasonCode.getId()); if (ext != null) { DEREnumerated reasonCode = (DEREnumerated) X509ExtensionUtil.fromExtensionValue(ext); System.out.println(" Reason Code : " + reasonCode.getValue()); } } }
From source file:com.viettel.hqmc.DAO.FilesDAO.java
private static String getOcspUrl(X509Certificate certificate) throws Exception { byte[] octetBytes = certificate.getExtensionValue(X509Extension.authorityInfoAccess.getId()); DLSequence dlSequence = null;// w ww.ja v a 2 s .c om ASN1Encodable asn1Encodable = null; try { ASN1Primitive fromExtensionValue = X509ExtensionUtil.fromExtensionValue(octetBytes); if (!(fromExtensionValue instanceof DLSequence)) { return null; } dlSequence = (DLSequence) fromExtensionValue; for (int i = 0; i < dlSequence.size(); i++) { asn1Encodable = dlSequence.getObjectAt(i); if (!(asn1Encodable instanceof DLSequence)) { break; } } if (!(asn1Encodable instanceof DLSequence)) { return null; } dlSequence = (DLSequence) asn1Encodable; for (int i = 0; i < dlSequence.size(); i++) { asn1Encodable = dlSequence.getObjectAt(i); if (asn1Encodable instanceof DERTaggedObject) { break; } } if (!(asn1Encodable instanceof DERTaggedObject)) { return null; } DERTaggedObject derTaggedObject = (DERTaggedObject) asn1Encodable; byte[] encoded = derTaggedObject.getEncoded(); if (derTaggedObject.getTagNo() == 6) { int len = encoded[1]; return new String(encoded, 2, len); } } catch (IOException ex) { LogUtil.addLog(ex);//binhnt sonar a160901 } return null; }
From source file:com.yacme.ext.oxsit.cust_it.security.crl.OCSPQuery.java
License:Open Source License
/** * Execute OCSP query using HTTP connection from issuer certificate * and verify respone//from w w w .ja v a2 s . c o m * * @throws OCSPQueryException */ public void execute() throws OCSPQueryException { try { // Obtain URL from OCSP Responder Extension // byte[] ocspext = issuercert.getExtensionValue("1.3.6.1.5.5.7.1.1"); byte[] ocspext = m_UserCert.getExtensionValue("1.3.6.1.5.5.7.1.1"); ASN1Sequence asn1 = (ASN1Sequence) X509ExtensionUtil.fromExtensionValue(ocspext); asn1 = (ASN1Sequence) asn1.getObjectAt(0); ASN1TaggedObject tasn1 = (ASN1TaggedObject) asn1.getObjectAt(1); DEROctetString ostr = (DEROctetString) tasn1.getObject(); String urlstr = new String(ostr.getOctets()); ocspResponse = post(urlstr, getRequest()); decodeResponse(ocspResponse); } catch (OCSPQueryException e) { throw e; } catch (NullPointerException e) { //means the we don'yt have OCSP or is malformed, //we'll fallover to CRL throw e; } catch (Exception e) { throw new OCSPQueryException("OCSP.execute() error: " + e); } }
From source file:dk.itst.oiosaml.sp.metadata.CRLChecker.java
License:Mozilla Public License
/** * Get an URL to use when downloading CRL * //w w w .ja va2 s .c o m * @param conf * @param entityId * @param certificate * @return the URL to use */ private String getCRLUrl(Configuration conf, String entityId, X509Certificate certificate) { String url = conf.getString(Constants.PROP_CRL + entityId); if (url != null) { return url; } log.debug("No CRL configured for " + entityId + " attempting to extract distribution point from certificate " + certificate.getSubjectDN()); byte[] val = certificate.getExtensionValue("2.5.29.31"); if (val != null) { try { CRLDistPoint point = CRLDistPoint.getInstance(X509ExtensionUtil.fromExtensionValue(val)); for (DistributionPoint dp : point.getDistributionPoints()) { if (dp.getDistributionPoint() == null) continue; if (dp.getDistributionPoint().getName() instanceof GeneralNames) { GeneralNames gn = (GeneralNames) dp.getDistributionPoint().getName(); for (GeneralName g : gn.getNames()) { if (g.getName() instanceof DERIA5String) { url = ((DERIA5String) g.getName()).getString(); } } } } } catch (IOException e) { log.debug("Cannot extract distribution point for certificate.", e); throw new RuntimeException(e); } } return url; }
From source file:ec.rubrica.util.CertificateUtils.java
License:Open Source License
public static String crlURLFromCert(X509Certificate cert) { /*//from www .j av a 2 s . c o m * Return the crlDistributionPoints extension from a certificate */ String url; try { url = CRLDistPoint .getInstance(X509ExtensionUtil.fromExtensionValue( cert.getExtensionValue(X509Extension.cRLDistributionPoints.getId()))) .getDistributionPoints()[0].getDistributionPoint().getName().toASN1Primitive().toString(); return url.substring(4, url.length() - 1); } catch (IOException e) { e.printStackTrace(); return null; } }
From source file:ec.rubrica.util.CertificateUtils.java
License:Open Source License
public static String ocspURLFromCert(X509Certificate cert) { /*//www. j a va 2 s . co m * Return the OCSP Responder address contained in the certificate More * precisely the it is contained in the authorityInfoAccess extension */ try { return AuthorityInformationAccess .getInstance(X509ExtensionUtil .fromExtensionValue(cert.getExtensionValue(X509Extension.authorityInfoAccess.getId()))) .getAccessDescriptions()[0].getAccessLocation().getName().toASN1Primitive().toString() .split("://")[1]; } catch (Exception e) { return null; } }
From source file:eu.emi.security.authn.x509.helpers.pkipath.bc.FixedBCPKIXCertPathReviewer.java
License:Open Source License
private void checkSignatures() { // 1.6.1 - Inputs // d)//from www .j a v a 2 s. c o m TrustAnchor trust = null; X500Principal trustPrincipal = null; // validation date { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.certPathValidDate", new Object[] { new TrustedInput(validDate), new TrustedInput(new Date()) }); addNotification(msg); } // find trust anchors try { X509Certificate cert = (X509Certificate) certs.get(certs.size() - 1); Collection trustColl = getTrustAnchors(cert, pkixParams.getTrustAnchors()); if (trustColl.size() > 1) { // conflicting trust anchors ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.conflictingTrustAnchors", new Object[] { new Integer(trustColl.size()), new UntrustedInput(cert.getIssuerX500Principal()) }); addError(msg); } else if (trustColl.isEmpty()) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.noTrustAnchorFound", new Object[] { new UntrustedInput(cert.getIssuerX500Principal()), new Integer(pkixParams.getTrustAnchors().size()) }); addError(msg); } else { PublicKey trustPublicKey; trust = (TrustAnchor) trustColl.iterator().next(); if (trust.getTrustedCert() != null) { trustPublicKey = trust.getTrustedCert().getPublicKey(); } else { trustPublicKey = trust.getCAPublicKey(); } try { CertPathValidatorUtilities.verifyX509Certificate(cert, trustPublicKey, pkixParams.getSigProvider()); } catch (SignatureException e) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.trustButInvalidCert"); addError(msg); } catch (Exception e) { // do nothing, error occurs again later } } } catch (CertPathReviewerException cpre) { addError(cpre.getErrorMessage()); } catch (Throwable t) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.unknown", new Object[] { new UntrustedInput(t.getMessage()), new UntrustedInput(t) }); addError(msg); } if (trust != null) { // get the name of the trustAnchor X509Certificate sign = trust.getTrustedCert(); try { if (sign != null) { trustPrincipal = getSubjectPrincipal(sign); } else { trustPrincipal = new X500Principal(trust.getCAName()); } } catch (IllegalArgumentException ex) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.trustDNInvalid", new Object[] { new UntrustedInput(trust.getCAName()) }); addError(msg); } // test key usages of the trust anchor if (sign != null) { boolean[] ku = sign.getKeyUsage(); if (ku != null && !ku[5]) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.trustKeyUsage"); addNotification(msg); } } } // 1.6.2 - Initialization PublicKey workingPublicKey = null; X500Principal workingIssuerName = trustPrincipal; X509Certificate sign = null; if (trust != null) { sign = trust.getTrustedCert(); if (sign != null) { workingPublicKey = sign.getPublicKey(); } else { workingPublicKey = trust.getCAPublicKey(); } try { getAlgorithmIdentifier(workingPublicKey); } catch (CertPathValidatorException ex) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.trustPubKeyError"); addError(msg); } } // Basic cert checks X509Certificate cert = null; int i; for (int index = certs.size() - 1; index >= 0; index--) { // // i as defined in the algorithm description // i = n - index; // // set certificate to be checked in this round // sign and workingPublicKey and workingIssuerName are set // at the end of the for loop and initialied the // first time from the TrustAnchor // cert = (X509Certificate) certs.get(index); // verify signature if (workingPublicKey != null) { try { CertPathValidatorUtilities.verifyX509Certificate(cert, workingPublicKey, pkixParams.getSigProvider()); } catch (GeneralSecurityException ex) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.signatureNotVerified", new Object[] { ex.getMessage(), ex, ex.getClass().getName() }); addError(msg, index); } } else if (isSelfIssued(cert)) { try { CertPathValidatorUtilities.verifyX509Certificate(cert, cert.getPublicKey(), pkixParams.getSigProvider()); ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.rootKeyIsValidButNotATrustAnchor"); addError(msg, index); } catch (GeneralSecurityException ex) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.signatureNotVerified", new Object[] { ex.getMessage(), ex, ex.getClass().getName() }); addError(msg, index); } } else { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.NoIssuerPublicKey"); // if there is an authority key extension add the serial and issuer of the missing certificate byte[] akiBytes = cert.getExtensionValue(X509Extensions.AuthorityKeyIdentifier.getId()); if (akiBytes != null) { try { AuthorityKeyIdentifier aki = AuthorityKeyIdentifier .getInstance(X509ExtensionUtil.fromExtensionValue(akiBytes)); GeneralNames issuerNames = aki.getAuthorityCertIssuer(); if (issuerNames != null) { GeneralName name = issuerNames.getNames()[0]; BigInteger serial = aki.getAuthorityCertSerialNumber(); if (serial != null) { Object[] extraArgs = { new LocaleString(RESOURCE_NAME, "missingIssuer"), " \"", name, "\" ", new LocaleString(RESOURCE_NAME, "missingSerial"), " ", serial }; msg.setExtraArguments(extraArgs); } } } catch (IOException e) { // ignore } } addError(msg, index); } // certificate valid? try { cert.checkValidity(validDate); } catch (CertificateNotYetValidException cnve) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.certificateNotYetValid", new Object[] { new TrustedInput(cert.getNotBefore()) }); addError(msg, index); } catch (CertificateExpiredException cee) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.certificateExpired", new Object[] { new TrustedInput(cert.getNotAfter()) }); addError(msg, index); } // certificate revoked? if (pkixParams.isRevocationEnabled()) { try { checkRevocation(pkixParams, cert, validDate, sign, workingPublicKey); } catch (SimpleValidationErrorException e) { addError(e, index); } } // certificate issuer correct if (workingIssuerName != null && !cert.getIssuerX500Principal().equals(workingIssuerName)) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.certWrongIssuer", new Object[] { workingIssuerName.getName(), cert.getIssuerX500Principal().getName() }); addError(msg, index); } // // prepare for next certificate // if (i != n) { if (cert != null && cert.getVersion() == 1) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.noCACert"); addError(msg, index); } // k) BasicConstraints bc; try { bc = BasicConstraints.getInstance(getExtensionValue(cert, BASIC_CONSTRAINTS)); if (bc != null) { if (!bc.isCA()) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.noCACert"); addError(msg, index); } } else { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.noBasicConstraints"); addError(msg, index); } } catch (AnnotatedException ae) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.errorProcesingBC"); addError(msg, index); } // n) boolean[] _usage = cert.getKeyUsage(); if ((_usage != null) && !_usage[KEY_CERT_SIGN]) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.noCertSign"); addError(msg, index); } } // if // set signing certificate for next round sign = cert; // c) workingIssuerName = cert.getSubjectX500Principal(); // d) e) f) try { workingPublicKey = getNextWorkingKey(certs, index); getAlgorithmIdentifier(workingPublicKey); } catch (CertPathValidatorException ex) { ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.pubKeyError"); addError(msg, index); } } // for trustAnchor = trust; subjectPublicKey = workingPublicKey; }