Beispiel #1
0
  /**
   * Returns certificate type of the given TBS certificate. <br>
   * The certificate type is {@link org.globus.gsi.GSIGSIConstants.CertificateType#CA
   * CertificateType.CA} <B>only</B> if the certificate contains a BasicConstraints extension and it
   * is marked as CA.<br>
   * A certificate is a GSI-2 proxy when the subject DN of the certificate ends with
   * <I>"CN=proxy"</I> (certificate type {@link
   * org.globus.gsi.GSIGSIConstants.CertificateType#GSI_2_PROXY CertificateType.GSI_2_PROXY}) or
   * <I>"CN=limited proxy"</I> (certificate type {@link
   * org.globus.gsi.GSIGSIConstants.CertificateType#GSI_2_LIMITED_PROXY
   * CertificateType.LIMITED_PROXY}) component and the issuer DN of the certificate matches the
   * subject DN without the last proxy <I>CN</I> component.<br>
   * A certificate is a GSI-3 proxy when the subject DN of the certificate ends with a <I>CN</I>
   * component, the issuer DN of the certificate matches the subject DN without the last <I>CN</I>
   * component and the certificate contains {@link org.globus.security.proxyExtension.ProxyCertInfo
   * ProxyCertInfo} critical extension. The certificate type is {@link
   * org.globus.gsi.GSIGSIConstants.CertificateType#GSI_3_IMPERSONATION_PROXY
   * CertificateType.GSI_3_IMPERSONATION_PROXY} if the policy language of the {@link
   * org.globus.security.proxyExtension.ProxyCertInfo ProxyCertInfo} extension is set to {@link
   * org.globus.security.proxyExtension.ProxyPolicy#IMPERSONATION ProxyPolicy.IMPERSONATION} OID.
   * The certificate type is {@link
   * org.globus.gsi.GSIGSIConstants.CertificateType#GSI_3_LIMITED_PROXY
   * CertificateType.GSI_3_LIMITED_PROXY} if the policy language of the {@link
   * org.globus.security.proxyExtension.ProxyCertInfo ProxyCertInfo} extension is set to {@link
   * org.globus.security.proxyExtension.ProxyPolicy#LIMITED ProxyPolicy.LIMITED} OID. The
   * certificate type is {@link
   * org.globus.gsi.GSIGSIConstants.CertificateType#GSI_3_INDEPENDENT_PROXY
   * CertificateType.GSI_3_INDEPENDENT_PROXY} if the policy language of the {@link
   * org.globus.security.proxyExtension.ProxyCertInfo ProxyCertInfo} extension is set to {@link
   * org.globus.security.proxyExtension.ProxyPolicy#INDEPENDENT ProxyPolicy.INDEPENDENT} OID. The
   * certificate type is {@link
   * org.globus.gsi.GSIGSIConstants.CertificateType#GSI_3_RESTRICTED_PROXY
   * CertificateType.GSI_3_RESTRICTED_PROXY} if the policy language of the {@link
   * org.globus.security.proxyExtension.ProxyCertInfo ProxyCertInfo} extension is set to any other
   * OID then the above.<br>
   * The certificate type is {@link org.globus.gsi.GSIGSIConstants.CertificateType#EEC
   * CertificateType.EEC} if the certificate is not a CA certificate or a GSI-2 or GSI-3 proxy.
   *
   * @param crt the TBS certificate to get the type of.
   * @return the certificate type. The certificate type is determined by rules described above.
   * @throws java.io.IOException if something goes wrong.
   * @throws java.security.cert.CertificateException for proxy certificates, if the issuer DN of the
   *     certificate does not match the subject DN of the certificate without the last <I>CN</I>
   *     component. Also, for GSI-3 proxies when the <code>ProxyCertInfo</code> extension is not
   *     marked as critical.
   */
  public static GSIConstants.CertificateType getCertificateType(TBSCertificateStructure crt)
      throws CertificateException, IOException {

    X509Extensions extensions = crt.getExtensions();
    X509Extension ext = null;

    if (extensions != null) {
      ext = extensions.getExtension(X509Extensions.BasicConstraints);
      if (ext != null) {
        BasicConstraints basicExt = getBasicConstraints(ext);
        if (basicExt.isCA()) {
          return GSIConstants.CertificateType.CA;
        }
      }
    }

    GSIConstants.CertificateType type = GSIConstants.CertificateType.EEC;

    // does not handle multiple AVAs
    X509Name subject = crt.getSubject();

    ASN1Set entry = X509NameHelper.getLastNameEntry(subject);
    ASN1Sequence ava = (ASN1Sequence) entry.getObjectAt(0);
    if (X509Name.CN.equals(ava.getObjectAt(0))) {
      type = processCN(extensions, type, ava);
    }

    return type;
  }
Beispiel #2
0
 public static boolean[] getKeyUsage(TBSCertificateStructure crt) throws IOException {
   X509Extensions extensions = crt.getExtensions();
   if (extensions == null) {
     return new boolean[0];
   }
   X509Extension extension = extensions.getExtension(X509Extensions.KeyUsage);
   return (extension != null) ? getKeyUsage(extension) : new boolean[0];
 }
 private KeyTransRecipientInfo computeRecipientInfo(X509Certificate x509certificate, byte[] abyte0)
     throws GeneralSecurityException, IOException {
   ASN1InputStream asn1inputstream =
       new ASN1InputStream(new ByteArrayInputStream(x509certificate.getTBSCertificate()));
   TBSCertificateStructure tbscertificatestructure =
       TBSCertificateStructure.getInstance(asn1inputstream.readObject());
   AlgorithmIdentifier algorithmidentifier =
       tbscertificatestructure.getSubjectPublicKeyInfo().getAlgorithmId();
   IssuerAndSerialNumber issuerandserialnumber =
       new IssuerAndSerialNumber(
           tbscertificatestructure.getIssuer(),
           tbscertificatestructure.getSerialNumber().getValue());
   Cipher cipher = Cipher.getInstance(algorithmidentifier.getObjectId().getId());
   cipher.init(1, x509certificate.getPublicKey());
   DEROctetString deroctetstring = new DEROctetString(cipher.doFinal(abyte0));
   RecipientIdentifier recipId = new RecipientIdentifier(issuerandserialnumber);
   return new KeyTransRecipientInfo(recipId, algorithmidentifier, deroctetstring);
 }
 private static boolean certHasPolicy(X509Certificate cert, String sOid) {
   try {
     if (m_logger.isDebugEnabled())
       m_logger.debug("Read cert policies: " + cert.getSerialNumber().toString());
     ByteArrayInputStream bIn = new ByteArrayInputStream(cert.getEncoded());
     ASN1InputStream aIn = new ASN1InputStream(bIn);
     ASN1Sequence seq = (ASN1Sequence) aIn.readObject();
     X509CertificateStructure obj = new X509CertificateStructure(seq);
     TBSCertificateStructure tbsCert = obj.getTBSCertificate();
     if (tbsCert.getVersion() == 3) {
       X509Extensions ext = tbsCert.getExtensions();
       if (ext != null) {
         Enumeration en = ext.oids();
         while (en.hasMoreElements()) {
           DERObjectIdentifier oid = (DERObjectIdentifier) en.nextElement();
           X509Extension extVal = ext.getExtension(oid);
           ASN1OctetString oct = extVal.getValue();
           ASN1InputStream extIn = new ASN1InputStream(new ByteArrayInputStream(oct.getOctets()));
           // if (oid.equals(X509Extensions.CertificatePolicies)) { // bc 146 ja jdk 1.6 puhul -
           // X509Extension.certificatePolicies
           if (oid.equals(X509Extension.certificatePolicies)) { // bc 146 ja jdk 1.6 puhul -
             // X509Extension.certificatePolicies
             ASN1Sequence cp = (ASN1Sequence) extIn.readObject();
             for (int i = 0; i != cp.size(); i++) {
               PolicyInformation pol = PolicyInformation.getInstance(cp.getObjectAt(i));
               DERObjectIdentifier dOid = pol.getPolicyIdentifier();
               String soid2 = dOid.getId();
               if (m_logger.isDebugEnabled()) m_logger.debug("Policy: " + soid2);
               if (soid2.startsWith(sOid)) return true;
             }
           }
         }
       }
     }
   } catch (Exception ex) {
     m_logger.error("Error reading cert policies: " + ex);
   }
   return false;
 }
Beispiel #5
0
  /**
   * Return CA Path constraint
   *
   * @param crt
   * @return
   * @throws IOException
   */
  public static int getCAPathConstraint(TBSCertificateStructure crt) throws IOException {

    X509Extensions extensions = crt.getExtensions();
    if (extensions == null) {
      return -1;
    }
    X509Extension proxyExtension = extensions.getExtension(X509Extensions.BasicConstraints);
    if (proxyExtension != null) {
      BasicConstraints basicExt = getBasicConstraints(proxyExtension);
      if (basicExt.isCA()) {
        BigInteger pathLen = basicExt.getPathLenConstraint();
        return (pathLen == null) ? Integer.MAX_VALUE : pathLen.intValue();
      } else {
        return -1;
      }
    }
    return -1;
  }
Beispiel #6
0
 /**
  * Extracts the TBS certificate from the given certificate.
  *
  * @param cert the X.509 certificate to extract the TBS certificate from.
  * @return the TBS certificate
  * @throws IOException if extraction fails.
  * @throws CertificateEncodingException if extraction fails.
  */
 public static TBSCertificateStructure getTBSCertificateStructure(X509Certificate cert)
     throws CertificateEncodingException, IOException {
   DERObject obj = toDERObject(cert.getTBSCertificate());
   return TBSCertificateStructure.getInstance(obj);
 }