/**
* Add a given extension field for the standard extensions tag (tag 3) copying the extension value
* from another certificate.
*
* @param oid the OID defining the extension type.
* @param isCritical true if the copied extension is to be marked as critical, false otherwise.
* @param certHolder the holder for the certificate that the extension is to be copied from.
* @return this builder object.
*/
public X509v3CertificateBuilder copyAndAddExtension(
ASN1ObjectIdentifier oid, boolean isCritical, X509CertificateHolder certHolder) {
X509CertificateStructure cert = certHolder.toASN1Structure();
X509Extension extension = cert.getTBSCertificate().getExtensions().getExtension(oid);
if (extension == null) {
throw new NullPointerException("extension " + oid + " not present");
}
extGenerator.addExtension(oid, isCritical, extension.getValue().getOctets());
return this;
}
private Set getExtensionOIDs(boolean critical) {
X509Extensions extensions = cert.getAcinfo().getExtensions();
if (extensions != null) {
Set set = new HashSet();
Enumeration e = extensions.oids();
while (e.hasMoreElements()) {
DERObjectIdentifier oid = (DERObjectIdentifier) e.nextElement();
X509Extension ext = extensions.getExtension(oid);
if (ext.isCritical() == critical) {
set.add(oid.getId());
}
}
return set;
}
return null;
}
private static boolean certHasPolicy(X509Certificate cert, String sOid) {
try {
if (m_logger.isDebugEnabled())
m_logger.debug("Read cert policies: " + cert.getSerialNumber().toString());
ByteArrayInputStream bIn = new ByteArrayInputStream(cert.getEncoded());
ASN1InputStream aIn = new ASN1InputStream(bIn);
ASN1Sequence seq = (ASN1Sequence) aIn.readObject();
X509CertificateStructure obj = new X509CertificateStructure(seq);
TBSCertificateStructure tbsCert = obj.getTBSCertificate();
if (tbsCert.getVersion() == 3) {
X509Extensions ext = tbsCert.getExtensions();
if (ext != null) {
Enumeration en = ext.oids();
while (en.hasMoreElements()) {
DERObjectIdentifier oid = (DERObjectIdentifier) en.nextElement();
X509Extension extVal = ext.getExtension(oid);
ASN1OctetString oct = extVal.getValue();
ASN1InputStream extIn = new ASN1InputStream(new ByteArrayInputStream(oct.getOctets()));
// if (oid.equals(X509Extensions.CertificatePolicies)) { // bc 146 ja jdk 1.6 puhul -
// X509Extension.certificatePolicies
if (oid.equals(X509Extension.certificatePolicies)) { // bc 146 ja jdk 1.6 puhul -
// X509Extension.certificatePolicies
ASN1Sequence cp = (ASN1Sequence) extIn.readObject();
for (int i = 0; i != cp.size(); i++) {
PolicyInformation pol = PolicyInformation.getInstance(cp.getObjectAt(i));
DERObjectIdentifier dOid = pol.getPolicyIdentifier();
String soid2 = dOid.getId();
if (m_logger.isDebugEnabled()) m_logger.debug("Policy: " + soid2);
if (soid2.startsWith(sOid)) return true;
}
}
}
}
}
} catch (Exception ex) {
m_logger.error("Error reading cert policies: " + ex);
}
return false;
}
public byte[] getExtensionValue(String oid) {
X509Extensions extensions = cert.getAcinfo().getExtensions();
if (extensions != null) {
X509Extension ext = extensions.getExtension(new DERObjectIdentifier(oid));
if (ext != null) {
ByteArrayOutputStream bOut = new ByteArrayOutputStream();
DEROutputStream dOut = new DEROutputStream(bOut);
try {
dOut.writeObject(ext.getValue());
return bOut.toByteArray();
} catch (Exception e) {
throw new RuntimeException("error encoding " + e.toString());
}
}
}
return null;
}
private static GSIConstants.CertificateType processCN(
X509Extensions extensions, GSIConstants.CertificateType type, ASN1Sequence ava)
throws CertificateException {
X509Extension ext;
String value = ((DERString) ava.getObjectAt(1)).getString();
GSIConstants.CertificateType certType = type;
if (value.equalsIgnoreCase("proxy")) {
certType = GSIConstants.CertificateType.GSI_2_PROXY;
} else if (value.equalsIgnoreCase("limited proxy")) {
certType = GSIConstants.CertificateType.GSI_2_LIMITED_PROXY;
} else if (extensions != null) {
boolean gsi4 = true;
// GSI_4
ext = extensions.getExtension(ProxyCertInfo.OID);
if (ext == null) {
// GSI_3
ext = extensions.getExtension(ProxyCertInfo.OLD_OID);
gsi4 = false;
}
if (ext != null) {
if (ext.isCritical()) {
certType = processCriticalExtension(ext, gsi4);
} else {
String err = "proxyCertCritical";
throw new CertificateException(err);
}
}
}
/**
* FIXME: this looks like validation if (ProxyCertificateUtil.isProxy(type)) { X509NameHelper
* iss = new X509NameHelper(crt.getIssuer());
* iss.add((ASN1Set)BouncyCastleUtil.duplicate(entry)); X509Name issuer = iss.getAsName(); if
* (!issuer.equals(subject)) { String err = i18n.getMessage("proxyDNErr"); throw new
* CertificateException(err); } }
*/
return certType;
}
public void performTest() throws Exception {
String signDN = "O=Bouncy Castle, C=AU";
KeyPair signKP = OCSPTestUtil.makeKeyPair();
X509CertificateHolder testCert =
new JcaX509CertificateHolder(OCSPTestUtil.makeCertificate(signKP, signDN, signKP, signDN));
String origDN = "CN=Eric H. Echidna, [email protected], O=Bouncy Castle, C=AU";
GeneralName origName = new GeneralName(new X509Name(origDN));
DigestCalculatorProvider digCalcProv =
new JcaDigestCalculatorProviderBuilder().setProvider(BC).build();
//
// general id value for our test issuer cert and a serial number.
//
CertificateID id =
new CertificateID(
digCalcProv.get(CertificateID.HASH_SHA1), testCert, BigInteger.valueOf(1));
//
// basic request generation
//
OCSPReqBuilder gen = new OCSPReqBuilder();
gen.addRequest(
new CertificateID(
digCalcProv.get(CertificateID.HASH_SHA1), testCert, BigInteger.valueOf(1)));
OCSPReq req = gen.build();
if (req.isSigned()) {
fail("signed but shouldn't be");
}
X509CertificateHolder[] certs = req.getCerts();
if (certs.length != 0) {
fail("0 certs expected, but not found");
}
Req[] requests = req.getRequestList();
if (!requests[0].getCertID().equals(id)) {
fail("Failed isFor test");
}
//
// request generation with signing
//
X509CertificateHolder[] chain = new X509CertificateHolder[1];
gen = new OCSPReqBuilder();
gen.setRequestorName(new GeneralName(GeneralName.directoryName, new X509Principal("CN=fred")));
gen.addRequest(
new CertificateID(
digCalcProv.get(CertificateID.HASH_SHA1), testCert, BigInteger.valueOf(1)));
chain[0] = testCert;
req =
gen.build(
new JcaContentSignerBuilder("SHA1withRSA").setProvider(BC).build(signKP.getPrivate()),
chain);
if (!req.isSigned()) {
fail("not signed but should be");
}
if (!req.isSignatureValid(
new JcaContentVerifierProviderBuilder().setProvider(BC).build(signKP.getPublic()))) {
fail("signature failed to verify");
}
requests = req.getRequestList();
if (!requests[0].getCertID().equals(id)) {
fail("Failed isFor test");
}
certs = req.getCerts();
if (certs == null) {
fail("null certs found");
}
if (certs.length != 1 || !certs[0].equals(testCert)) {
fail("incorrect certs found in request");
}
//
// encoding test
//
byte[] reqEnc = req.getEncoded();
OCSPReq newReq = new OCSPReq(reqEnc);
if (!newReq.isSignatureValid(
new JcaContentVerifierProviderBuilder().setProvider(BC).build(signKP.getPublic()))) {
fail("newReq signature failed to verify");
}
//
// request generation with signing and nonce
//
chain = new X509CertificateHolder[1];
gen = new OCSPReqBuilder();
Vector oids = new Vector();
Vector values = new Vector();
byte[] sampleNonce = new byte[16];
Random rand = new Random();
rand.nextBytes(sampleNonce);
gen.setRequestorName(new GeneralName(GeneralName.directoryName, new X509Principal("CN=fred")));
oids.addElement(OCSPObjectIdentifiers.id_pkix_ocsp_nonce);
values.addElement(
new X509Extension(false, new DEROctetString(new DEROctetString(sampleNonce))));
gen.setRequestExtensions(new X509Extensions(oids, values));
gen.addRequest(
new CertificateID(
digCalcProv.get(CertificateID.HASH_SHA1), testCert, BigInteger.valueOf(1)));
chain[0] = testCert;
req =
gen.build(
new JcaContentSignerBuilder("SHA1withRSA").setProvider(BC).build(signKP.getPrivate()),
chain);
if (!req.isSigned()) {
fail("not signed but should be");
}
if (!req.isSignatureValid(
new JcaContentVerifierProviderBuilder().setProvider(BC).build(signKP.getPublic()))) {
fail("signature failed to verify");
}
//
// extension check.
//
Set extOids = req.getCriticalExtensionOIDs();
if (extOids.size() != 0) {
fail("wrong number of critical extensions in OCSP request.");
}
extOids = req.getNonCriticalExtensionOIDs();
if (extOids.size() != 1) {
fail("wrong number of non-critical extensions in OCSP request.");
}
X509Extension ext = req.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce);
ASN1Encodable extObj = ext.getParsedValue();
if (!(extObj instanceof ASN1OctetString)) {
fail("wrong extension type found.");
}
if (!areEqual(((ASN1OctetString) extObj).getOctets(), sampleNonce)) {
fail("wrong extension value found.");
}
//
// request list check
//
requests = req.getRequestList();
if (!requests[0].getCertID().equals(id)) {
fail("Failed isFor test");
}
//
// response parsing - test 1
//
OCSPResp response = new OCSPResp(testResp1);
if (response.getStatus() != 0) {
fail("response status not zero.");
}
BasicOCSPResp brep = (BasicOCSPResp) response.getResponseObject();
chain = brep.getCerts();
if (!brep.isSignatureValid(
new JcaContentVerifierProviderBuilder().setProvider(BC).build(chain[0]))) {
fail("response 1 failed to verify.");
}
//
// test 2
//
SingleResp[] singleResp = brep.getResponses();
response = new OCSPResp(testResp2);
if (response.getStatus() != 0) {
fail("response status not zero.");
}
brep = (BasicOCSPResp) response.getResponseObject();
chain = brep.getCerts();
if (!brep.isSignatureValid(
new JcaContentVerifierProviderBuilder().setProvider(BC).build(chain[0]))) {
fail("response 2 failed to verify.");
}
singleResp = brep.getResponses();
//
// simple response generation
//
OCSPRespBuilder respGen = new OCSPRespBuilder();
OCSPResp resp = respGen.build(OCSPRespBuilder.SUCCESSFUL, response.getResponseObject());
if (!resp.getResponseObject().equals(response.getResponseObject())) {
fail("response fails to match");
}
testECDSA();
testRSA();
testIrregularVersionReq();
}
/**
* Extracts the value of a certificate extension.
*
* @param ext the certificate extension to extract the value from.
* @throws IOException if extraction fails.
*/
public static DERObject getExtensionObject(X509Extension ext) throws IOException {
return toDERObject(ext.getValue().getOctets());
}
/**
* Creates a <code>BasicConstraints</code> object from given extension.
*
* @param ext the extension.
* @return the <code>BasicConstraints</code> object.
* @throws IOException if something fails.
*/
public static BasicConstraints getBasicConstraints(X509Extension ext) throws IOException {
ASN1Object object = X509Extension.convertValueToObject(ext);
return BasicConstraints.getInstance(object);
}
