/**
* Returns certificate type of the given TBS certificate. <br>
* The certificate type is {@link org.globus.gsi.GSIGSIConstants.CertificateType#CA
* CertificateType.CA} <B>only</B> if the certificate contains a BasicConstraints extension and it
* is marked as CA.<br>
* A certificate is a GSI-2 proxy when the subject DN of the certificate ends with
* <I>"CN=proxy"</I> (certificate type {@link
* org.globus.gsi.GSIGSIConstants.CertificateType#GSI_2_PROXY CertificateType.GSI_2_PROXY}) or
* <I>"CN=limited proxy"</I> (certificate type {@link
* org.globus.gsi.GSIGSIConstants.CertificateType#GSI_2_LIMITED_PROXY
* CertificateType.LIMITED_PROXY}) component and the issuer DN of the certificate matches the
* subject DN without the last proxy <I>CN</I> component.<br>
* A certificate is a GSI-3 proxy when the subject DN of the certificate ends with a <I>CN</I>
* component, the issuer DN of the certificate matches the subject DN without the last <I>CN</I>
* component and the certificate contains {@link org.globus.security.proxyExtension.ProxyCertInfo
* ProxyCertInfo} critical extension. The certificate type is {@link
* org.globus.gsi.GSIGSIConstants.CertificateType#GSI_3_IMPERSONATION_PROXY
* CertificateType.GSI_3_IMPERSONATION_PROXY} if the policy language of the {@link
* org.globus.security.proxyExtension.ProxyCertInfo ProxyCertInfo} extension is set to {@link
* org.globus.security.proxyExtension.ProxyPolicy#IMPERSONATION ProxyPolicy.IMPERSONATION} OID.
* The certificate type is {@link
* org.globus.gsi.GSIGSIConstants.CertificateType#GSI_3_LIMITED_PROXY
* CertificateType.GSI_3_LIMITED_PROXY} if the policy language of the {@link
* org.globus.security.proxyExtension.ProxyCertInfo ProxyCertInfo} extension is set to {@link
* org.globus.security.proxyExtension.ProxyPolicy#LIMITED ProxyPolicy.LIMITED} OID. The
* certificate type is {@link
* org.globus.gsi.GSIGSIConstants.CertificateType#GSI_3_INDEPENDENT_PROXY
* CertificateType.GSI_3_INDEPENDENT_PROXY} if the policy language of the {@link
* org.globus.security.proxyExtension.ProxyCertInfo ProxyCertInfo} extension is set to {@link
* org.globus.security.proxyExtension.ProxyPolicy#INDEPENDENT ProxyPolicy.INDEPENDENT} OID. The
* certificate type is {@link
* org.globus.gsi.GSIGSIConstants.CertificateType#GSI_3_RESTRICTED_PROXY
* CertificateType.GSI_3_RESTRICTED_PROXY} if the policy language of the {@link
* org.globus.security.proxyExtension.ProxyCertInfo ProxyCertInfo} extension is set to any other
* OID then the above.<br>
* The certificate type is {@link org.globus.gsi.GSIGSIConstants.CertificateType#EEC
* CertificateType.EEC} if the certificate is not a CA certificate or a GSI-2 or GSI-3 proxy.
*
* @param crt the TBS certificate to get the type of.
* @return the certificate type. The certificate type is determined by rules described above.
* @throws java.io.IOException if something goes wrong.
* @throws java.security.cert.CertificateException for proxy certificates, if the issuer DN of the
* certificate does not match the subject DN of the certificate without the last <I>CN</I>
* component. Also, for GSI-3 proxies when the <code>ProxyCertInfo</code> extension is not
* marked as critical.
*/
public static GSIConstants.CertificateType getCertificateType(TBSCertificateStructure crt)
throws CertificateException, IOException {
X509Extensions extensions = crt.getExtensions();
X509Extension ext = null;
if (extensions != null) {
ext = extensions.getExtension(X509Extensions.BasicConstraints);
if (ext != null) {
BasicConstraints basicExt = getBasicConstraints(ext);
if (basicExt.isCA()) {
return GSIConstants.CertificateType.CA;
}
}
}
GSIConstants.CertificateType type = GSIConstants.CertificateType.EEC;
// does not handle multiple AVAs
X509Name subject = crt.getSubject();
ASN1Set entry = X509NameHelper.getLastNameEntry(subject);
ASN1Sequence ava = (ASN1Sequence) entry.getObjectAt(0);
if (X509Name.CN.equals(ava.getObjectAt(0))) {
type = processCN(extensions, type, ava);
}
return type;
}
public static boolean[] getKeyUsage(TBSCertificateStructure crt) throws IOException {
X509Extensions extensions = crt.getExtensions();
if (extensions == null) {
return new boolean[0];
}
X509Extension extension = extensions.getExtension(X509Extensions.KeyUsage);
return (extension != null) ? getKeyUsage(extension) : new boolean[0];
}
/**
* Return CA Path constraint
*
* @param crt
* @return
* @throws IOException
*/
public static int getCAPathConstraint(TBSCertificateStructure crt) throws IOException {
X509Extensions extensions = crt.getExtensions();
if (extensions == null) {
return -1;
}
X509Extension proxyExtension = extensions.getExtension(X509Extensions.BasicConstraints);
if (proxyExtension != null) {
BasicConstraints basicExt = getBasicConstraints(proxyExtension);
if (basicExt.isCA()) {
BigInteger pathLen = basicExt.getPathLenConstraint();
return (pathLen == null) ? Integer.MAX_VALUE : pathLen.intValue();
} else {
return -1;
}
}
return -1;
}
private Set getExtensionOIDs(boolean critical) {
X509Extensions extensions = cert.getAcinfo().getExtensions();
if (extensions != null) {
Set set = new HashSet();
Enumeration e = extensions.oids();
while (e.hasMoreElements()) {
DERObjectIdentifier oid = (DERObjectIdentifier) e.nextElement();
X509Extension ext = extensions.getExtension(oid);
if (ext.isCritical() == critical) {
set.add(oid.getId());
}
}
return set;
}
return null;
}
private static boolean certHasPolicy(X509Certificate cert, String sOid) {
try {
if (m_logger.isDebugEnabled())
m_logger.debug("Read cert policies: " + cert.getSerialNumber().toString());
ByteArrayInputStream bIn = new ByteArrayInputStream(cert.getEncoded());
ASN1InputStream aIn = new ASN1InputStream(bIn);
ASN1Sequence seq = (ASN1Sequence) aIn.readObject();
X509CertificateStructure obj = new X509CertificateStructure(seq);
TBSCertificateStructure tbsCert = obj.getTBSCertificate();
if (tbsCert.getVersion() == 3) {
X509Extensions ext = tbsCert.getExtensions();
if (ext != null) {
Enumeration en = ext.oids();
while (en.hasMoreElements()) {
DERObjectIdentifier oid = (DERObjectIdentifier) en.nextElement();
X509Extension extVal = ext.getExtension(oid);
ASN1OctetString oct = extVal.getValue();
ASN1InputStream extIn = new ASN1InputStream(new ByteArrayInputStream(oct.getOctets()));
// if (oid.equals(X509Extensions.CertificatePolicies)) { // bc 146 ja jdk 1.6 puhul -
// X509Extension.certificatePolicies
if (oid.equals(X509Extension.certificatePolicies)) { // bc 146 ja jdk 1.6 puhul -
// X509Extension.certificatePolicies
ASN1Sequence cp = (ASN1Sequence) extIn.readObject();
for (int i = 0; i != cp.size(); i++) {
PolicyInformation pol = PolicyInformation.getInstance(cp.getObjectAt(i));
DERObjectIdentifier dOid = pol.getPolicyIdentifier();
String soid2 = dOid.getId();
if (m_logger.isDebugEnabled()) m_logger.debug("Policy: " + soid2);
if (soid2.startsWith(sOid)) return true;
}
}
}
}
}
} catch (Exception ex) {
m_logger.error("Error reading cert policies: " + ex);
}
return false;
}
public byte[] getExtensionValue(String oid) {
X509Extensions extensions = cert.getAcinfo().getExtensions();
if (extensions != null) {
X509Extension ext = extensions.getExtension(new DERObjectIdentifier(oid));
if (ext != null) {
ByteArrayOutputStream bOut = new ByteArrayOutputStream();
DEROutputStream dOut = new DEROutputStream(bOut);
try {
dOut.writeObject(ext.getValue());
return bOut.toByteArray();
} catch (Exception e) {
throw new RuntimeException("error encoding " + e.toString());
}
}
}
return null;
}
private static GSIConstants.CertificateType processCN(
X509Extensions extensions, GSIConstants.CertificateType type, ASN1Sequence ava)
throws CertificateException {
X509Extension ext;
String value = ((DERString) ava.getObjectAt(1)).getString();
GSIConstants.CertificateType certType = type;
if (value.equalsIgnoreCase("proxy")) {
certType = GSIConstants.CertificateType.GSI_2_PROXY;
} else if (value.equalsIgnoreCase("limited proxy")) {
certType = GSIConstants.CertificateType.GSI_2_LIMITED_PROXY;
} else if (extensions != null) {
boolean gsi4 = true;
// GSI_4
ext = extensions.getExtension(ProxyCertInfo.OID);
if (ext == null) {
// GSI_3
ext = extensions.getExtension(ProxyCertInfo.OLD_OID);
gsi4 = false;
}
if (ext != null) {
if (ext.isCritical()) {
certType = processCriticalExtension(ext, gsi4);
} else {
String err = "proxyCertCritical";
throw new CertificateException(err);
}
}
}
/**
* FIXME: this looks like validation if (ProxyCertificateUtil.isProxy(type)) { X509NameHelper
* iss = new X509NameHelper(crt.getIssuer());
* iss.add((ASN1Set)BouncyCastleUtil.duplicate(entry)); X509Name issuer = iss.getAsName(); if
* (!issuer.equals(subject)) { String err = i18n.getMessage("proxyDNErr"); throw new
* CertificateException(err); } }
*/
return certType;
}
