Пример #1
   * Returns certificate type of the given TBS certificate. <br>
   * The certificate type is {@link org.globus.gsi.GSIGSIConstants.CertificateType#CA
   * CertificateType.CA} <B>only</B> if the certificate contains a BasicConstraints extension and it
   * is marked as CA.<br>
   * A certificate is a GSI-2 proxy when the subject DN of the certificate ends with
   * <I>"CN=proxy"</I> (certificate type {@link
   * org.globus.gsi.GSIGSIConstants.CertificateType#GSI_2_PROXY CertificateType.GSI_2_PROXY}) or
   * <I>"CN=limited proxy"</I> (certificate type {@link
   * org.globus.gsi.GSIGSIConstants.CertificateType#GSI_2_LIMITED_PROXY
   * CertificateType.LIMITED_PROXY}) component and the issuer DN of the certificate matches the
   * subject DN without the last proxy <I>CN</I> component.<br>
   * A certificate is a GSI-3 proxy when the subject DN of the certificate ends with a <I>CN</I>
   * component, the issuer DN of the certificate matches the subject DN without the last <I>CN</I>
   * component and the certificate contains {@link org.globus.security.proxyExtension.ProxyCertInfo
   * ProxyCertInfo} critical extension. The certificate type is {@link
   * org.globus.gsi.GSIGSIConstants.CertificateType#GSI_3_IMPERSONATION_PROXY
   * CertificateType.GSI_3_IMPERSONATION_PROXY} if the policy language of the {@link
   * org.globus.security.proxyExtension.ProxyCertInfo ProxyCertInfo} extension is set to {@link
   * org.globus.security.proxyExtension.ProxyPolicy#IMPERSONATION ProxyPolicy.IMPERSONATION} OID.
   * The certificate type is {@link
   * org.globus.gsi.GSIGSIConstants.CertificateType#GSI_3_LIMITED_PROXY
   * CertificateType.GSI_3_LIMITED_PROXY} if the policy language of the {@link
   * org.globus.security.proxyExtension.ProxyCertInfo ProxyCertInfo} extension is set to {@link
   * org.globus.security.proxyExtension.ProxyPolicy#LIMITED ProxyPolicy.LIMITED} OID. The
   * certificate type is {@link
   * org.globus.gsi.GSIGSIConstants.CertificateType#GSI_3_INDEPENDENT_PROXY
   * CertificateType.GSI_3_INDEPENDENT_PROXY} if the policy language of the {@link
   * org.globus.security.proxyExtension.ProxyCertInfo ProxyCertInfo} extension is set to {@link
   * org.globus.security.proxyExtension.ProxyPolicy#INDEPENDENT ProxyPolicy.INDEPENDENT} OID. The
   * certificate type is {@link
   * org.globus.gsi.GSIGSIConstants.CertificateType#GSI_3_RESTRICTED_PROXY
   * CertificateType.GSI_3_RESTRICTED_PROXY} if the policy language of the {@link
   * org.globus.security.proxyExtension.ProxyCertInfo ProxyCertInfo} extension is set to any other
   * OID then the above.<br>
   * The certificate type is {@link org.globus.gsi.GSIGSIConstants.CertificateType#EEC
   * CertificateType.EEC} if the certificate is not a CA certificate or a GSI-2 or GSI-3 proxy.
   * @param crt the TBS certificate to get the type of.
   * @return the certificate type. The certificate type is determined by rules described above.
   * @throws java.io.IOException if something goes wrong.
   * @throws java.security.cert.CertificateException for proxy certificates, if the issuer DN of the
   *     certificate does not match the subject DN of the certificate without the last <I>CN</I>
   *     component. Also, for GSI-3 proxies when the <code>ProxyCertInfo</code> extension is not
   *     marked as critical.
  public static GSIConstants.CertificateType getCertificateType(TBSCertificateStructure crt)
      throws CertificateException, IOException {

    X509Extensions extensions = crt.getExtensions();
    X509Extension ext = null;

    if (extensions != null) {
      ext = extensions.getExtension(X509Extensions.BasicConstraints);
      if (ext != null) {
        BasicConstraints basicExt = getBasicConstraints(ext);
        if (basicExt.isCA()) {
          return GSIConstants.CertificateType.CA;

    GSIConstants.CertificateType type = GSIConstants.CertificateType.EEC;

    // does not handle multiple AVAs
    X509Name subject = crt.getSubject();

    ASN1Set entry = X509NameHelper.getLastNameEntry(subject);
    ASN1Sequence ava = (ASN1Sequence) entry.getObjectAt(0);
    if (X509Name.CN.equals(ava.getObjectAt(0))) {
      type = processCN(extensions, type, ava);

    return type;
Пример #2
  public CVCertificate(byte[] in) throws IllegalArgumentException, IOException {
    ASN1StreamParser asn1Parser = new ASN1StreamParser(in);

    DERApplicationSpecific cvcert = (DERApplicationSpecific) asn1Parser.readObject();
    if (cvcert.getApplicationTag() != 0x21)
      throw new IllegalArgumentException("Can't find a CV Certificate");

    ASN1Sequence derCert =
        (ASN1Sequence) cvcert.getObject(BERTags.SEQUENCE); // Das CV Cerificate ist eine Sequence

    DERApplicationSpecific body =
            derCert.getObjectAt(0); // Das erste Objekt des Certificates ist der Cert-Body
    if (body.getApplicationTag() != 0x4E)
      throw new IllegalArgumentException("Can't find a Body in the CV Certificate");

    certBody = new CVCertBody(body);

    DERApplicationSpecific signature =
            derCert.getObjectAt(1); // Das zweite Objekt des Certificates ist die Signatur
    if (signature.getApplicationTag() != 0x37)
      throw new IllegalArgumentException("Can't find a Signature in the CV Certificate");

    certSignature = new CVCertSignature(signature.getContents());
  public void fromAsn1(ASN1Encodable required, ASN1Encodable optional)
      throws IOException, EIDException {

    ASN1Sequence params = (ASN1Sequence) required;
    int version = ASN1Helper.getCheckedInt((ASN1Integer) params.getObjectAt(0));
    // if( doLog ) log.debug( "read version: " + version );

    int keyId = ASN1Helper.getCheckedInt((ASN1Integer) params.getObjectAt(1));
    // if( doLog ) log.debug( "read keyId: " + keyId );

    boolean authorizedOnly = ((ASN1Boolean) params.getObjectAt(2)).isTrue();
    // if( doLog ) log.debug( "read authorizedOnly: " + authorizedOnly );

    if (1 != version) throw new EIDException("version must be 1");

    this.version = version;
    this.keyId = keyId;
    this.authorizedOnly = authorizedOnly;

    if (null != optional) {
      maxKeyLen = ASN1Helper.getCheckedInt((ASN1Integer) optional);
      // if( doLog ) log.debug( "read maxKeyLen: " + maxKeyLen );
Пример #4
  public GeneralSubtree(ASN1Sequence seq) {
    base = GeneralName.getInstance(seq.getObjectAt(0));

    switch (seq.size()) {
      case 1:
      case 2:
        ASN1TaggedObject o = ASN1TaggedObject.getInstance(seq.getObjectAt(1));
        switch (o.getTagNo()) {
          case 0:
            minimum = DERInteger.getInstance(o, false);
          case 1:
            maximum = DERInteger.getInstance(o, false);
            throw new IllegalArgumentException("Bad tag number: " + o.getTagNo());
      case 3:
        minimum = DERInteger.getInstance(ASN1TaggedObject.getInstance(seq.getObjectAt(1)));
        maximum = DERInteger.getInstance(ASN1TaggedObject.getInstance(seq.getObjectAt(2)));
        throw new IllegalArgumentException("Bad sequence size: " + seq.size());
Пример #5
  private SinglePubInfo(ASN1Sequence seq) {
    pubMethod = ASN1Integer.getInstance(seq.getObjectAt(0));

    if (seq.size() == 2) {
      pubLocation = GeneralName.getInstance(seq.getObjectAt(1));
Пример #6
 public IDEACBCPar(ASN1Sequence seq) {
   if (seq.size() == 1) {
     iv = (ASN1OctetString) seq.getObjectAt(0);
   } else {
     iv = null;
 public EncryptedContentInfo(ASN1Sequence seq) {
   contentType = (DERObjectIdentifier) seq.getObjectAt(0);
   contentEncryptionAlgorithm = AlgorithmIdentifier.getInstance(seq.getObjectAt(1));
   if (seq.size() > 2) {
     encryptedContent = ASN1OctetString.getInstance((ASN1TaggedObject) seq.getObjectAt(2), false);
   * decrypt the content and return an input stream.
   * @deprecated use getContentStream(Recipient)
  public CMSTypedStream getContentStream(Key key, Provider prov) throws CMSException {
    try {
      CMSEnvelopedHelper helper = CMSEnvelopedHelper.INSTANCE;
      AlgorithmIdentifier kekAlg =
      ASN1Sequence kekAlgParams = (ASN1Sequence) kekAlg.getParameters();
      String kekAlgName = DERObjectIdentifier.getInstance(kekAlgParams.getObjectAt(0)).getId();
      String wrapAlgName = helper.getRFC3211WrapperName(kekAlgName);

      Cipher keyCipher = helper.createSymmetricCipher(wrapAlgName, prov);
      IvParameterSpec ivSpec =
          new IvParameterSpec(ASN1OctetString.getInstance(kekAlgParams.getObjectAt(1)).getOctets());
          new SecretKeySpec(((CMSPBEKey) key).getEncoded(kekAlgName), kekAlgName),

      Key sKey =
              info.getEncryptedKey().getOctets(), getContentAlgorithmName(), Cipher.SECRET_KEY);

      return getContentFromSessionKey(sKey, prov);
    } catch (NoSuchAlgorithmException e) {
      throw new CMSException("can't find algorithm.", e);
    } catch (InvalidKeyException e) {
      throw new CMSException("key invalid in message.", e);
    } catch (NoSuchPaddingException e) {
      throw new CMSException("required padding not supported.", e);
    } catch (InvalidAlgorithmParameterException e) {
      throw new CMSException("invalid iv.", e);
Пример #9
  public PaceInfo(ASN1Sequence seq) {
    protocol = (ASN1ObjectIdentifier) seq.getObjectAt(0);
    version = (ASN1Integer) seq.getObjectAt(1);

    if (seq.size() > 2) {
      parameterId = (ASN1Integer) seq.getObjectAt(2);
Пример #10
  * Returns the targets in this target information extension.
  * @return Returns the targets.
 public Targets[] getTargetsObjects() {
   Targets[] copy = new Targets[targets.size()];
   int count = 0;
   for (Enumeration e = targets.getObjects(); e.hasMoreElements(); ) {
     copy[count++] = Targets.getInstance(e.nextElement());
   return copy;
    public BigInteger[] decode(byte[] encoding) throws IOException {
      ASN1Sequence s = (ASN1Sequence) ASN1Primitive.fromByteArray(encoding);
      BigInteger[] sig = new BigInteger[2];

      sig[0] = ((DERInteger) s.getObjectAt(0)).getValue();
      sig[1] = ((DERInteger) s.getObjectAt(1)).getValue();

      return sig;
Пример #12
  public CryptEngineImpl(Context ctx) throws Exception {

    // Получаем действующее хранилище
    IKeyStorage storage = KeyStorageFactory.getKeyStorage(ctx);

    Log.v("TFORWARD.CryptEngineImpl", "Decoding public key...");
    byte[] publicKey = Base64.decode(storage.getKey(IKeyStorage.PUBLIC_KEY_TYPE), Base64.DEFAULT);

    Log.v("TFORWARD.CryptEngineImpl", "Decoding ASN1 Structure");
    ASN1InputStream asnStream = new ASN1InputStream(publicKey);

    ASN1Sequence sequence = null;
    try {
      Log.v("TFORWARD.CryptEngineImpl", "Reading ASN1 Sequence");
      sequence = (ASN1Sequence) asnStream.readObject();
    } finally {

    Log.v("TFORWARD.CryptEngineImpl", "Creating certificate. " + sequence.size());
    Certificate certificate = Certificate.getInstance(sequence);
    SubjectPublicKeyInfo publicKeyInfo = certificate.getSubjectPublicKeyInfo();

    RSAPublicKey publicKeyStructure = RSAPublicKey.getInstance(publicKeyInfo.parsePublicKey());
    BigInteger mod = publicKeyStructure.getModulus();
    BigInteger pubExp = publicKeyStructure.getPublicExponent();

    publicRsaKey = new RSAKeyParameters(false, mod, pubExp);

    // ------------------------ PRIVATE KEY --------------------------------
    byte[] privateKeyData =
        Base64.decode(storage.getKey(IKeyStorage.SECRET_KEY_TYPE), Base64.DEFAULT);
    asnStream = new ASN1InputStream(privateKeyData);

    ASN1Sequence asnSequence = null;
    try {
      asnSequence = (ASN1Sequence) asnStream.readObject();
    } finally {

    RSAPrivateKey privateKey = RSAPrivateKey.getInstance(asnSequence);
    privateRsaKey =
        new RSAPrivateCrtKeyParameters(

    RSAEngine engine = new RSAEngine();
    digest = new MD5Digest();
    cipher = new PKCS1Encoding(engine);
  public X509Attribute[] getAttributes() {
    ASN1Sequence seq = cert.getAcinfo().getAttributes();
    X509Attribute[] attrs = new X509Attribute[seq.size()];

    for (int i = 0; i != seq.size(); i++) {
      attrs[i] = new X509Attribute((ASN1Encodable) seq.getObjectAt(i));

    return attrs;
Пример #14
  public void parse(ASN1Primitive derObject) {
    ASN1Sequence derSequence = ASN1Object.getDERSequence(derObject);

    this.endCertRevReq = new RevReq();

    this.caCerts = new RevReq();
   * Return the attributes, if any associated with this request.
   * @return an array of Attribute, zero length if none present.
  public Attribute[] getAttributes() {
    ASN1Sequence seq = attrCert.getAcinfo().getAttributes();
    Attribute[] attrs = new Attribute[seq.size()];

    for (int i = 0; i != seq.size(); i++) {
      attrs[i] = Attribute.getInstance(seq.getObjectAt(i));

    return attrs;
Пример #16
  * Produces the r,s integer pair of a DSA signature from a DER-encoded byte representation.
  * @param in DER-encoded concatenation of byte representation of r and s.
  * @return DSA signature output parameters (r,s).
  * @throws CryptException On cryptographic errors.
 protected BigInteger[] decode(final byte[] in) throws CryptException {
   ASN1Sequence s;
   try {
     s = (ASN1Sequence) new ASN1InputStream(in).readObject();
   } catch (IOException e) {
     throw new CryptException("Error decoding DSA signature.", e);
   return new BigInteger[] {
     ((DERInteger) s.getObjectAt(0)).getValue(), ((DERInteger) s.getObjectAt(1)).getValue(),
Пример #17
  public int hashCode() {
    ASN1Sequence seq = (ASN1Sequence) this.getDERObject();
    Enumeration e = seq.getObjects();
    int hashCode = 0;

    while (e.hasMoreElements()) {
      hashCode ^= e.nextElement().hashCode();

    return hashCode;
Пример #18
  protected BigInteger[] derDecode(byte[] encoding) throws IOException {
    ByteArrayInputStream bIn = new ByteArrayInputStream(encoding);
    ASN1InputStream aIn = new ASN1InputStream(bIn);
    ASN1Sequence s = (ASN1Sequence) aIn.readObject();

    BigInteger[] sig = new BigInteger[2];

    sig[0] = ((DERInteger) s.getObjectAt(0)).getValue();
    sig[1] = ((DERInteger) s.getObjectAt(1)).getValue();

    return sig;
Пример #19
  public PBES2Parameters(ASN1Sequence obj) {
    Enumeration e = obj.getObjects();
    ASN1Sequence funcSeq =
        ASN1Sequence.getInstance(((DEREncodable) e.nextElement()).getDERObject());

    if (funcSeq.getObjectAt(0).equals(id_PBKDF2)) {
      func = new KeyDerivationFunc(id_PBKDF2, PBKDF2Params.getInstance(funcSeq.getObjectAt(1)));
    } else {
      func = new KeyDerivationFunc(funcSeq);

    scheme = (EncryptionScheme) EncryptionScheme.getInstance(e.nextElement());
Пример #20
   * Reads the value of the <code>CertificatePolicies</code> extension field of the certificate.
   * @return List of certificate policies defined on certificate or null if the certificate does not
   *     define the field.
  public List<PolicyInformation> readCertificatePolicies() {
    final ASN1Encodable data = read(ExtensionType.CertificatePolicies);
    if (data == null) {
      return null;

    final ASN1Sequence sequence = ASN1Sequence.getInstance(data);
    final List<PolicyInformation> list = new ArrayList<>(sequence.size());
    for (int i = 0; i < sequence.size(); i++) {
    return list;
Пример #21
   * Reads the value of the <code>ExtendedKeyUsage</code> extension field of the certificate.
   * @return List of supported extended key usages or null if extension is not defined.
  public List<KeyPurposeId> readExtendedKeyUsage() {
    final ASN1Encodable data = read(ExtensionType.ExtendedKeyUsage);
    if (data == null) {
      return null;

    final ASN1Sequence sequence = ASN1Sequence.getInstance(data);
    final List<KeyPurposeId> list = new ArrayList<>(sequence.size());
    for (int i = 0; i < sequence.size(); i++) {
    return list;
Пример #22
   * Reads the value of the <code>CRLDistributionPoints</code> extension field of the certificate.
   * @return List of CRL distribution points or null if extension is not defined.
  public List<DistributionPoint> readCRLDistributionPoints() {
    final ASN1Encodable data = read(ExtensionType.CRLDistributionPoints);
    if (data == null) {
      return null;

    final ASN1Sequence sequence = ASN1Sequence.getInstance(data);
    final List<DistributionPoint> list = new ArrayList<>(sequence.size());
    for (int i = 0; i < sequence.size(); i++) {
    return list;
Пример #23
   * Reads the value of the <code>AuthorityInformationAccess</code> extension field of the
   * certificate.
   * @return List of access descriptions or null if extension is not defined.
  public List<AccessDescription> readAuthorityInformationAccess() {
    final ASN1Encodable data = read(ExtensionType.AuthorityInformationAccess);
    if (data == null) {
      return null;

    final ASN1Sequence sequence = ASN1Sequence.getInstance(data);
    final List<AccessDescription> list = new ArrayList<>(sequence.size());
    for (int i = 0; i < sequence.size(); i++) {
    return list;
Пример #24
  public X9Curve(X9FieldID fieldID, ASN1Sequence seq) {
    if (fieldID.getIdentifier().equals(prime_field)) {
      BigInteger q = ((DERInteger) fieldID.getParameters()).getValue();
      X9FieldElement x9A = new X9FieldElement(true, q, (ASN1OctetString) seq.getObjectAt(0));
      X9FieldElement x9B = new X9FieldElement(true, q, (ASN1OctetString) seq.getObjectAt(1));
      curve = new ECCurve.Fp(q, x9A.getValue().toBigInteger(), x9B.getValue().toBigInteger());
    } else {
      throw new RuntimeException("not implemented");

    if (seq.size() == 3) {
      seed = ((DERBitString) seq.getObjectAt(2)).getBytes();
Пример #25
  private ECCCMSSharedInfo(ASN1Sequence seq) {
    this.keyInfo = AlgorithmIdentifier.getInstance(seq.getObjectAt(0));

    if (seq.size() == 2) {
      this.entityUInfo = null;
      this.suppPubInfo =
          ASN1OctetString.getInstance((ASN1TaggedObject) seq.getObjectAt(1), true).getOctets();
    } else {
      this.entityUInfo =
          ASN1OctetString.getInstance((ASN1TaggedObject) seq.getObjectAt(1), true).getOctets();
      this.suppPubInfo =
          ASN1OctetString.getInstance((ASN1TaggedObject) seq.getObjectAt(2), true).getOctets();
Пример #26
  private ResponseData(ASN1Sequence seq) {
    int index = 0;

    if (seq.getObjectAt(0) instanceof ASN1TaggedObject) {
      ASN1TaggedObject o = (ASN1TaggedObject) seq.getObjectAt(0);

      if (o.getTagNo() == 0) {
        this.versionPresent = true;
        this.version = ASN1Integer.getInstance((ASN1TaggedObject) seq.getObjectAt(0), true);
      } else {
        this.version = V1;
    } else {
      this.version = V1;

    this.responderID = ResponderID.getInstance(seq.getObjectAt(index++));
    this.producedAt = (DERGeneralizedTime) seq.getObjectAt(index++);
    this.responses = (ASN1Sequence) seq.getObjectAt(index++);

    if (seq.size() > index) {
      this.responseExtensions =
          Extensions.getInstance((ASN1TaggedObject) seq.getObjectAt(index), true);
  public VomsAttributeCertificateInfo(final ASN1Sequence seq) throws ProblemException {


    ASN1Sequence attributes = getAttributes();

    for (int i = 0; i < attributes.size(); i++) {

      ASN1Sequence attribute = (ASN1Sequence) attributes.getObjectAt(i);
      DERObjectIdentifier id = (DERObjectIdentifier) attribute.getObjectAt(0);

      if (VomsCredentialInfo.VOMS_ATTR_OID.equals(id.getId())) {

        DERSet set = (DERSet) attribute.getObjectAt(1);

        for (int j = 0; j < set.size(); j++) {

          IetfAttrSyntax attr = new IetfAttrSyntax((ASN1Sequence) set.getObjectAt(j));
          ASN1Sequence paSeq = (ASN1Sequence) attr.getPolicyAuthority().getDERObject();
          GeneralName paGName = GeneralName.getInstance(paSeq.getObjectAt(0));
          String paString = ((DERIA5String) paGName.getName()).getString();

          int sep = paString.indexOf("://"); // $NON-NLS-1$
          if (sep != -1) {
            this.voNames.add(paString.substring(0, sep));

          for (Object attrValue : attr.getValues()) {
            String fqanString = new String(((ASN1OctetString) attrValue).getOctets());
Пример #28
  private CscaMasterList(ASN1Sequence seq) {
    if (seq == null || seq.size() == 0) {
      throw new IllegalArgumentException("null or empty sequence passed.");
    if (seq.size() != 2) {
      throw new IllegalArgumentException("Incorrect sequence size: " + seq.size());

    version = DERInteger.getInstance(seq.getObjectAt(0));
    ASN1Set certSet = ASN1Set.getInstance(seq.getObjectAt(1));
    certList = new X509CertificateStructure[certSet.size()];
    for (int i = 0; i < certList.length; i++) {
      certList[i] = X509CertificateStructure.getInstance(certSet.getObjectAt(i));
  protected static final Set getQualifierSet(ASN1Sequence qualifiers)
      throws CertPathValidatorException {
    Set pq = new HashSet();

    if (qualifiers == null) {
      return pq;

    ByteArrayOutputStream bOut = new ByteArrayOutputStream();
    ASN1OutputStream aOut = new ASN1OutputStream(bOut);

    Enumeration e = qualifiers.getObjects();

    while (e.hasMoreElements()) {
      try {
        aOut.writeObject((ASN1Encodable) e.nextElement());

        pq.add(new PolicyQualifierInfo(bOut.toByteArray()));
      } catch (IOException ex) {
        throw new ExtCertPathValidatorException("Policy qualifier info cannot be decoded.", ex);


    return pq;
Пример #30
  public SignerInfo(ASN1Sequence seq) {
    Enumeration e = seq.getObjects();

    version = (DERInteger) e.nextElement();
    issuerAndSerialNumber = IssuerAndSerialNumber.getInstance(e.nextElement());
    digAlgorithm = AlgorithmIdentifier.getInstance(e.nextElement());

    Object obj = e.nextElement();

    if (obj instanceof ASN1TaggedObject) {
      authenticatedAttributes = ASN1Set.getInstance((ASN1TaggedObject) obj, false);

      digEncryptionAlgorithm = AlgorithmIdentifier.getInstance(e.nextElement());
    } else {
      authenticatedAttributes = null;
      digEncryptionAlgorithm = AlgorithmIdentifier.getInstance(obj);

    encryptedDigest = DEROctetString.getInstance(e.nextElement());

    if (e.hasMoreElements()) {
      unauthenticatedAttributes = ASN1Set.getInstance((ASN1TaggedObject) e.nextElement(), false);
    } else {
      unauthenticatedAttributes = null;