/**
   * Add a given extension field for the standard extensions tag (tag 3) copying the extension value
   * from another certificate.
   *
   * @param oid the OID defining the extension type.
   * @param isCritical true if the copied extension is to be marked as critical, false otherwise.
   * @param certHolder the holder for the certificate that the extension is to be copied from.
   * @return this builder object.
   */
  public X509v3CertificateBuilder copyAndAddExtension(
      ASN1ObjectIdentifier oid, boolean isCritical, X509CertificateHolder certHolder) {
    X509CertificateStructure cert = certHolder.toASN1Structure();

    X509Extension extension = cert.getTBSCertificate().getExtensions().getExtension(oid);

    if (extension == null) {
      throw new NullPointerException("extension " + oid + " not present");
    }

    extGenerator.addExtension(oid, isCritical, extension.getValue().getOctets());

    return this;
  }
  private Set getExtensionOIDs(boolean critical) {
    X509Extensions extensions = cert.getAcinfo().getExtensions();

    if (extensions != null) {
      Set set = new HashSet();
      Enumeration e = extensions.oids();

      while (e.hasMoreElements()) {
        DERObjectIdentifier oid = (DERObjectIdentifier) e.nextElement();
        X509Extension ext = extensions.getExtension(oid);

        if (ext.isCritical() == critical) {
          set.add(oid.getId());
        }
      }

      return set;
    }

    return null;
  }
 private static boolean certHasPolicy(X509Certificate cert, String sOid) {
   try {
     if (m_logger.isDebugEnabled())
       m_logger.debug("Read cert policies: " + cert.getSerialNumber().toString());
     ByteArrayInputStream bIn = new ByteArrayInputStream(cert.getEncoded());
     ASN1InputStream aIn = new ASN1InputStream(bIn);
     ASN1Sequence seq = (ASN1Sequence) aIn.readObject();
     X509CertificateStructure obj = new X509CertificateStructure(seq);
     TBSCertificateStructure tbsCert = obj.getTBSCertificate();
     if (tbsCert.getVersion() == 3) {
       X509Extensions ext = tbsCert.getExtensions();
       if (ext != null) {
         Enumeration en = ext.oids();
         while (en.hasMoreElements()) {
           DERObjectIdentifier oid = (DERObjectIdentifier) en.nextElement();
           X509Extension extVal = ext.getExtension(oid);
           ASN1OctetString oct = extVal.getValue();
           ASN1InputStream extIn = new ASN1InputStream(new ByteArrayInputStream(oct.getOctets()));
           // if (oid.equals(X509Extensions.CertificatePolicies)) { // bc 146 ja jdk 1.6 puhul -
           // X509Extension.certificatePolicies
           if (oid.equals(X509Extension.certificatePolicies)) { // bc 146 ja jdk 1.6 puhul -
             // X509Extension.certificatePolicies
             ASN1Sequence cp = (ASN1Sequence) extIn.readObject();
             for (int i = 0; i != cp.size(); i++) {
               PolicyInformation pol = PolicyInformation.getInstance(cp.getObjectAt(i));
               DERObjectIdentifier dOid = pol.getPolicyIdentifier();
               String soid2 = dOid.getId();
               if (m_logger.isDebugEnabled()) m_logger.debug("Policy: " + soid2);
               if (soid2.startsWith(sOid)) return true;
             }
           }
         }
       }
     }
   } catch (Exception ex) {
     m_logger.error("Error reading cert policies: " + ex);
   }
   return false;
 }
  public byte[] getExtensionValue(String oid) {
    X509Extensions extensions = cert.getAcinfo().getExtensions();

    if (extensions != null) {
      X509Extension ext = extensions.getExtension(new DERObjectIdentifier(oid));

      if (ext != null) {
        ByteArrayOutputStream bOut = new ByteArrayOutputStream();
        DEROutputStream dOut = new DEROutputStream(bOut);

        try {
          dOut.writeObject(ext.getValue());

          return bOut.toByteArray();
        } catch (Exception e) {
          throw new RuntimeException("error encoding " + e.toString());
        }
      }
    }

    return null;
  }
Beispiel #5
0
  private static GSIConstants.CertificateType processCN(
      X509Extensions extensions, GSIConstants.CertificateType type, ASN1Sequence ava)
      throws CertificateException {
    X509Extension ext;
    String value = ((DERString) ava.getObjectAt(1)).getString();
    GSIConstants.CertificateType certType = type;
    if (value.equalsIgnoreCase("proxy")) {
      certType = GSIConstants.CertificateType.GSI_2_PROXY;
    } else if (value.equalsIgnoreCase("limited proxy")) {
      certType = GSIConstants.CertificateType.GSI_2_LIMITED_PROXY;
    } else if (extensions != null) {
      boolean gsi4 = true;
      // GSI_4
      ext = extensions.getExtension(ProxyCertInfo.OID);
      if (ext == null) {
        // GSI_3
        ext = extensions.getExtension(ProxyCertInfo.OLD_OID);
        gsi4 = false;
      }
      if (ext != null) {
        if (ext.isCritical()) {
          certType = processCriticalExtension(ext, gsi4);
        } else {
          String err = "proxyCertCritical";
          throw new CertificateException(err);
        }
      }
    }

    /**
     * FIXME: this looks like validation if (ProxyCertificateUtil.isProxy(type)) { X509NameHelper
     * iss = new X509NameHelper(crt.getIssuer());
     * iss.add((ASN1Set)BouncyCastleUtil.duplicate(entry)); X509Name issuer = iss.getAsName(); if
     * (!issuer.equals(subject)) { String err = i18n.getMessage("proxyDNErr"); throw new
     * CertificateException(err); } }
     */
    return certType;
  }
Beispiel #6
0
  public void performTest() throws Exception {
    String signDN = "O=Bouncy Castle, C=AU";
    KeyPair signKP = OCSPTestUtil.makeKeyPair();
    X509CertificateHolder testCert =
        new JcaX509CertificateHolder(OCSPTestUtil.makeCertificate(signKP, signDN, signKP, signDN));

    String origDN = "CN=Eric H. Echidna, [email protected], O=Bouncy Castle, C=AU";
    GeneralName origName = new GeneralName(new X509Name(origDN));
    DigestCalculatorProvider digCalcProv =
        new JcaDigestCalculatorProviderBuilder().setProvider(BC).build();

    //
    // general id value for our test issuer cert and a serial number.
    //
    CertificateID id =
        new CertificateID(
            digCalcProv.get(CertificateID.HASH_SHA1), testCert, BigInteger.valueOf(1));

    //
    // basic request generation
    //
    OCSPReqBuilder gen = new OCSPReqBuilder();

    gen.addRequest(
        new CertificateID(
            digCalcProv.get(CertificateID.HASH_SHA1), testCert, BigInteger.valueOf(1)));

    OCSPReq req = gen.build();

    if (req.isSigned()) {
      fail("signed but shouldn't be");
    }

    X509CertificateHolder[] certs = req.getCerts();

    if (certs.length != 0) {
      fail("0 certs expected, but not found");
    }

    Req[] requests = req.getRequestList();

    if (!requests[0].getCertID().equals(id)) {
      fail("Failed isFor test");
    }

    //
    // request generation with signing
    //
    X509CertificateHolder[] chain = new X509CertificateHolder[1];

    gen = new OCSPReqBuilder();

    gen.setRequestorName(new GeneralName(GeneralName.directoryName, new X509Principal("CN=fred")));

    gen.addRequest(
        new CertificateID(
            digCalcProv.get(CertificateID.HASH_SHA1), testCert, BigInteger.valueOf(1)));

    chain[0] = testCert;

    req =
        gen.build(
            new JcaContentSignerBuilder("SHA1withRSA").setProvider(BC).build(signKP.getPrivate()),
            chain);

    if (!req.isSigned()) {
      fail("not signed but should be");
    }

    if (!req.isSignatureValid(
        new JcaContentVerifierProviderBuilder().setProvider(BC).build(signKP.getPublic()))) {
      fail("signature failed to verify");
    }

    requests = req.getRequestList();

    if (!requests[0].getCertID().equals(id)) {
      fail("Failed isFor test");
    }

    certs = req.getCerts();

    if (certs == null) {
      fail("null certs found");
    }

    if (certs.length != 1 || !certs[0].equals(testCert)) {
      fail("incorrect certs found in request");
    }

    //
    // encoding test
    //
    byte[] reqEnc = req.getEncoded();

    OCSPReq newReq = new OCSPReq(reqEnc);

    if (!newReq.isSignatureValid(
        new JcaContentVerifierProviderBuilder().setProvider(BC).build(signKP.getPublic()))) {
      fail("newReq signature failed to verify");
    }

    //
    // request generation with signing and nonce
    //
    chain = new X509CertificateHolder[1];

    gen = new OCSPReqBuilder();

    Vector oids = new Vector();
    Vector values = new Vector();
    byte[] sampleNonce = new byte[16];
    Random rand = new Random();

    rand.nextBytes(sampleNonce);

    gen.setRequestorName(new GeneralName(GeneralName.directoryName, new X509Principal("CN=fred")));

    oids.addElement(OCSPObjectIdentifiers.id_pkix_ocsp_nonce);
    values.addElement(
        new X509Extension(false, new DEROctetString(new DEROctetString(sampleNonce))));

    gen.setRequestExtensions(new X509Extensions(oids, values));

    gen.addRequest(
        new CertificateID(
            digCalcProv.get(CertificateID.HASH_SHA1), testCert, BigInteger.valueOf(1)));

    chain[0] = testCert;

    req =
        gen.build(
            new JcaContentSignerBuilder("SHA1withRSA").setProvider(BC).build(signKP.getPrivate()),
            chain);

    if (!req.isSigned()) {
      fail("not signed but should be");
    }

    if (!req.isSignatureValid(
        new JcaContentVerifierProviderBuilder().setProvider(BC).build(signKP.getPublic()))) {
      fail("signature failed to verify");
    }

    //
    // extension check.
    //
    Set extOids = req.getCriticalExtensionOIDs();

    if (extOids.size() != 0) {
      fail("wrong number of critical extensions in OCSP request.");
    }

    extOids = req.getNonCriticalExtensionOIDs();

    if (extOids.size() != 1) {
      fail("wrong number of non-critical extensions in OCSP request.");
    }

    X509Extension ext = req.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce);

    ASN1Encodable extObj = ext.getParsedValue();

    if (!(extObj instanceof ASN1OctetString)) {
      fail("wrong extension type found.");
    }

    if (!areEqual(((ASN1OctetString) extObj).getOctets(), sampleNonce)) {
      fail("wrong extension value found.");
    }

    //
    // request list check
    //
    requests = req.getRequestList();

    if (!requests[0].getCertID().equals(id)) {
      fail("Failed isFor test");
    }

    //
    // response parsing - test 1
    //
    OCSPResp response = new OCSPResp(testResp1);

    if (response.getStatus() != 0) {
      fail("response status not zero.");
    }

    BasicOCSPResp brep = (BasicOCSPResp) response.getResponseObject();
    chain = brep.getCerts();

    if (!brep.isSignatureValid(
        new JcaContentVerifierProviderBuilder().setProvider(BC).build(chain[0]))) {
      fail("response 1 failed to verify.");
    }

    //
    // test 2
    //
    SingleResp[] singleResp = brep.getResponses();

    response = new OCSPResp(testResp2);

    if (response.getStatus() != 0) {
      fail("response status not zero.");
    }

    brep = (BasicOCSPResp) response.getResponseObject();
    chain = brep.getCerts();

    if (!brep.isSignatureValid(
        new JcaContentVerifierProviderBuilder().setProvider(BC).build(chain[0]))) {
      fail("response 2 failed to verify.");
    }

    singleResp = brep.getResponses();

    //
    // simple response generation
    //
    OCSPRespBuilder respGen = new OCSPRespBuilder();
    OCSPResp resp = respGen.build(OCSPRespBuilder.SUCCESSFUL, response.getResponseObject());

    if (!resp.getResponseObject().equals(response.getResponseObject())) {
      fail("response fails to match");
    }

    testECDSA();
    testRSA();
    testIrregularVersionReq();
  }
Beispiel #7
0
 /**
  * Extracts the value of a certificate extension.
  *
  * @param ext the certificate extension to extract the value from.
  * @throws IOException if extraction fails.
  */
 public static DERObject getExtensionObject(X509Extension ext) throws IOException {
   return toDERObject(ext.getValue().getOctets());
 }
Beispiel #8
0
  /**
   * Creates a <code>BasicConstraints</code> object from given extension.
   *
   * @param ext the extension.
   * @return the <code>BasicConstraints</code> object.
   * @throws IOException if something fails.
   */
  public static BasicConstraints getBasicConstraints(X509Extension ext) throws IOException {

    ASN1Object object = X509Extension.convertValueToObject(ext);
    return BasicConstraints.getInstance(object);
  }