예제 #1
0
  /**
   * Returns certificate type of the given TBS certificate. <br>
   * The certificate type is {@link org.globus.gsi.GSIGSIConstants.CertificateType#CA
   * CertificateType.CA} <B>only</B> if the certificate contains a BasicConstraints extension and it
   * is marked as CA.<br>
   * A certificate is a GSI-2 proxy when the subject DN of the certificate ends with
   * <I>"CN=proxy"</I> (certificate type {@link
   * org.globus.gsi.GSIGSIConstants.CertificateType#GSI_2_PROXY CertificateType.GSI_2_PROXY}) or
   * <I>"CN=limited proxy"</I> (certificate type {@link
   * org.globus.gsi.GSIGSIConstants.CertificateType#GSI_2_LIMITED_PROXY
   * CertificateType.LIMITED_PROXY}) component and the issuer DN of the certificate matches the
   * subject DN without the last proxy <I>CN</I> component.<br>
   * A certificate is a GSI-3 proxy when the subject DN of the certificate ends with a <I>CN</I>
   * component, the issuer DN of the certificate matches the subject DN without the last <I>CN</I>
   * component and the certificate contains {@link org.globus.security.proxyExtension.ProxyCertInfo
   * ProxyCertInfo} critical extension. The certificate type is {@link
   * org.globus.gsi.GSIGSIConstants.CertificateType#GSI_3_IMPERSONATION_PROXY
   * CertificateType.GSI_3_IMPERSONATION_PROXY} if the policy language of the {@link
   * org.globus.security.proxyExtension.ProxyCertInfo ProxyCertInfo} extension is set to {@link
   * org.globus.security.proxyExtension.ProxyPolicy#IMPERSONATION ProxyPolicy.IMPERSONATION} OID.
   * The certificate type is {@link
   * org.globus.gsi.GSIGSIConstants.CertificateType#GSI_3_LIMITED_PROXY
   * CertificateType.GSI_3_LIMITED_PROXY} if the policy language of the {@link
   * org.globus.security.proxyExtension.ProxyCertInfo ProxyCertInfo} extension is set to {@link
   * org.globus.security.proxyExtension.ProxyPolicy#LIMITED ProxyPolicy.LIMITED} OID. The
   * certificate type is {@link
   * org.globus.gsi.GSIGSIConstants.CertificateType#GSI_3_INDEPENDENT_PROXY
   * CertificateType.GSI_3_INDEPENDENT_PROXY} if the policy language of the {@link
   * org.globus.security.proxyExtension.ProxyCertInfo ProxyCertInfo} extension is set to {@link
   * org.globus.security.proxyExtension.ProxyPolicy#INDEPENDENT ProxyPolicy.INDEPENDENT} OID. The
   * certificate type is {@link
   * org.globus.gsi.GSIGSIConstants.CertificateType#GSI_3_RESTRICTED_PROXY
   * CertificateType.GSI_3_RESTRICTED_PROXY} if the policy language of the {@link
   * org.globus.security.proxyExtension.ProxyCertInfo ProxyCertInfo} extension is set to any other
   * OID then the above.<br>
   * The certificate type is {@link org.globus.gsi.GSIGSIConstants.CertificateType#EEC
   * CertificateType.EEC} if the certificate is not a CA certificate or a GSI-2 or GSI-3 proxy.
   *
   * @param crt the TBS certificate to get the type of.
   * @return the certificate type. The certificate type is determined by rules described above.
   * @throws java.io.IOException if something goes wrong.
   * @throws java.security.cert.CertificateException for proxy certificates, if the issuer DN of the
   *     certificate does not match the subject DN of the certificate without the last <I>CN</I>
   *     component. Also, for GSI-3 proxies when the <code>ProxyCertInfo</code> extension is not
   *     marked as critical.
   */
  public static GSIConstants.CertificateType getCertificateType(TBSCertificateStructure crt)
      throws CertificateException, IOException {

    X509Extensions extensions = crt.getExtensions();
    X509Extension ext = null;

    if (extensions != null) {
      ext = extensions.getExtension(X509Extensions.BasicConstraints);
      if (ext != null) {
        BasicConstraints basicExt = getBasicConstraints(ext);
        if (basicExt.isCA()) {
          return GSIConstants.CertificateType.CA;
        }
      }
    }

    GSIConstants.CertificateType type = GSIConstants.CertificateType.EEC;

    // does not handle multiple AVAs
    X509Name subject = crt.getSubject();

    ASN1Set entry = X509NameHelper.getLastNameEntry(subject);
    ASN1Sequence ava = (ASN1Sequence) entry.getObjectAt(0);
    if (X509Name.CN.equals(ava.getObjectAt(0))) {
      type = processCN(extensions, type, ava);
    }

    return type;
  }
예제 #2
0
 public static boolean[] getKeyUsage(TBSCertificateStructure crt) throws IOException {
   X509Extensions extensions = crt.getExtensions();
   if (extensions == null) {
     return new boolean[0];
   }
   X509Extension extension = extensions.getExtension(X509Extensions.KeyUsage);
   return (extension != null) ? getKeyUsage(extension) : new boolean[0];
 }
예제 #3
0
  /**
   * Return CA Path constraint
   *
   * @param crt
   * @return
   * @throws IOException
   */
  public static int getCAPathConstraint(TBSCertificateStructure crt) throws IOException {

    X509Extensions extensions = crt.getExtensions();
    if (extensions == null) {
      return -1;
    }
    X509Extension proxyExtension = extensions.getExtension(X509Extensions.BasicConstraints);
    if (proxyExtension != null) {
      BasicConstraints basicExt = getBasicConstraints(proxyExtension);
      if (basicExt.isCA()) {
        BigInteger pathLen = basicExt.getPathLenConstraint();
        return (pathLen == null) ? Integer.MAX_VALUE : pathLen.intValue();
      } else {
        return -1;
      }
    }
    return -1;
  }
  private Set getExtensionOIDs(boolean critical) {
    X509Extensions extensions = cert.getAcinfo().getExtensions();

    if (extensions != null) {
      Set set = new HashSet();
      Enumeration e = extensions.oids();

      while (e.hasMoreElements()) {
        DERObjectIdentifier oid = (DERObjectIdentifier) e.nextElement();
        X509Extension ext = extensions.getExtension(oid);

        if (ext.isCritical() == critical) {
          set.add(oid.getId());
        }
      }

      return set;
    }

    return null;
  }
예제 #5
0
 private static boolean certHasPolicy(X509Certificate cert, String sOid) {
   try {
     if (m_logger.isDebugEnabled())
       m_logger.debug("Read cert policies: " + cert.getSerialNumber().toString());
     ByteArrayInputStream bIn = new ByteArrayInputStream(cert.getEncoded());
     ASN1InputStream aIn = new ASN1InputStream(bIn);
     ASN1Sequence seq = (ASN1Sequence) aIn.readObject();
     X509CertificateStructure obj = new X509CertificateStructure(seq);
     TBSCertificateStructure tbsCert = obj.getTBSCertificate();
     if (tbsCert.getVersion() == 3) {
       X509Extensions ext = tbsCert.getExtensions();
       if (ext != null) {
         Enumeration en = ext.oids();
         while (en.hasMoreElements()) {
           DERObjectIdentifier oid = (DERObjectIdentifier) en.nextElement();
           X509Extension extVal = ext.getExtension(oid);
           ASN1OctetString oct = extVal.getValue();
           ASN1InputStream extIn = new ASN1InputStream(new ByteArrayInputStream(oct.getOctets()));
           // if (oid.equals(X509Extensions.CertificatePolicies)) { // bc 146 ja jdk 1.6 puhul -
           // X509Extension.certificatePolicies
           if (oid.equals(X509Extension.certificatePolicies)) { // bc 146 ja jdk 1.6 puhul -
             // X509Extension.certificatePolicies
             ASN1Sequence cp = (ASN1Sequence) extIn.readObject();
             for (int i = 0; i != cp.size(); i++) {
               PolicyInformation pol = PolicyInformation.getInstance(cp.getObjectAt(i));
               DERObjectIdentifier dOid = pol.getPolicyIdentifier();
               String soid2 = dOid.getId();
               if (m_logger.isDebugEnabled()) m_logger.debug("Policy: " + soid2);
               if (soid2.startsWith(sOid)) return true;
             }
           }
         }
       }
     }
   } catch (Exception ex) {
     m_logger.error("Error reading cert policies: " + ex);
   }
   return false;
 }
  public byte[] getExtensionValue(String oid) {
    X509Extensions extensions = cert.getAcinfo().getExtensions();

    if (extensions != null) {
      X509Extension ext = extensions.getExtension(new DERObjectIdentifier(oid));

      if (ext != null) {
        ByteArrayOutputStream bOut = new ByteArrayOutputStream();
        DEROutputStream dOut = new DEROutputStream(bOut);

        try {
          dOut.writeObject(ext.getValue());

          return bOut.toByteArray();
        } catch (Exception e) {
          throw new RuntimeException("error encoding " + e.toString());
        }
      }
    }

    return null;
  }
예제 #7
0
  private static GSIConstants.CertificateType processCN(
      X509Extensions extensions, GSIConstants.CertificateType type, ASN1Sequence ava)
      throws CertificateException {
    X509Extension ext;
    String value = ((DERString) ava.getObjectAt(1)).getString();
    GSIConstants.CertificateType certType = type;
    if (value.equalsIgnoreCase("proxy")) {
      certType = GSIConstants.CertificateType.GSI_2_PROXY;
    } else if (value.equalsIgnoreCase("limited proxy")) {
      certType = GSIConstants.CertificateType.GSI_2_LIMITED_PROXY;
    } else if (extensions != null) {
      boolean gsi4 = true;
      // GSI_4
      ext = extensions.getExtension(ProxyCertInfo.OID);
      if (ext == null) {
        // GSI_3
        ext = extensions.getExtension(ProxyCertInfo.OLD_OID);
        gsi4 = false;
      }
      if (ext != null) {
        if (ext.isCritical()) {
          certType = processCriticalExtension(ext, gsi4);
        } else {
          String err = "proxyCertCritical";
          throw new CertificateException(err);
        }
      }
    }

    /**
     * FIXME: this looks like validation if (ProxyCertificateUtil.isProxy(type)) { X509NameHelper
     * iss = new X509NameHelper(crt.getIssuer());
     * iss.add((ASN1Set)BouncyCastleUtil.duplicate(entry)); X509Name issuer = iss.getAsName(); if
     * (!issuer.equals(subject)) { String err = i18n.getMessage("proxyDNErr"); throw new
     * CertificateException(err); } }
     */
    return certType;
  }