Example usage for java.security.cert Certificate getType

List of usage examples for java.security.cert Certificate getType

Introduction

In this page you can find the example usage for java.security.cert Certificate getType.

Prototype

public final String getType() 

Source Link

Document

Returns the type of this certificate.

Usage

From source file:org.ejbca.util.CertTools.java

/**
 * Checks if a certificate is a CA certificate according to BasicConstraints (X.509), or role (CVC).
 * If there is no basic constraints extension on a X.509 certificate, false is returned.
 *
 * @param cert the certificate that skall be checked.
 *
 * @return boolean true if the certificate belongs to a CA.
 *//*from  www .jav  a  2s.co  m*/
public static boolean isCA(Certificate cert) {
    log.trace(">isCA");
    boolean ret = false;
    if (cert instanceof X509Certificate) {
        X509Certificate x509cert = (X509Certificate) cert;
        if (x509cert.getBasicConstraints() > -1) {
            ret = true;
        }
    } else if (StringUtils.equals(cert.getType(), "CVC")) {
        CardVerifiableCertificate cvccert = (CardVerifiableCertificate) cert;
        try {
            CVCAuthorizationTemplate templ = cvccert.getCVCertificate().getCertificateBody()
                    .getAuthorizationTemplate();
            AuthorizationRoleEnum role = templ.getAuthorizationField().getRole();
            if (role.equals(AuthorizationRoleEnum.CVCA) || role.equals(AuthorizationRoleEnum.DV_D)
                    || role.equals(AuthorizationRoleEnum.DV_F)) {
                ret = true;
            }
        } catch (NoSuchFieldException e) {
            log.error("NoSuchFieldException: ", e);
        }
    }
    if (log.isTraceEnabled()) {
        log.trace("<isCA:" + ret);
    }
    return ret;
}

From source file:org.ejbca.util.CertTools.java

public static Date getNotAfter(Certificate cert) {
    Date ret = null;//w  w  w.ja  va  2 s .  co m
    if (cert == null) {
        throw new IllegalArgumentException("getNotAfter: cert is null");
    }
    if (cert instanceof X509Certificate) {
        X509Certificate xcert = (X509Certificate) cert;
        ret = xcert.getNotAfter();
    } else if (StringUtils.equals(cert.getType(), "CVC")) {
        CardVerifiableCertificate cvccert = (CardVerifiableCertificate) cert;
        try {
            ret = cvccert.getCVCertificate().getCertificateBody().getValidTo();
        } catch (NoSuchFieldException e) {
            // it is not uncommon that this field is missing in CVC certificate requests (it's not in the EAC standard so)
            log.debug("NoSuchFieldException: " + e.getMessage());
            return null;
        }
    }
    return ret;
}

From source file:org.ejbca.util.CertTools.java

/**
 * Checks that the given date is within the certificate's validity period. 
 * In other words, this determines whether the certificate would be valid at the given date/time.
 * //w  ww . ja  v  a  2  s  .  c  o  m
 * This utility class is only a helper to get the same behavior as the standard java.security.cert API regardless if using X.509 or CV Certificate.
 *
 * @param cert certificate to verify, if null the method returns immediately, null does not have a validity to check.
 * @param date the Date to check against to see if this certificate is valid at that date/time.
 * @throws NoSuchFieldException 
 * @throws CertificateExpiredException - if the certificate has expired with respect to the date supplied. 
  * @throws CertificateNotYetValidException - if the certificate is not yet valid with respect to the date supplied.
  * @see java.security.cert.X509Certificate#checkValidity(Date)
 */
public static void checkValidity(Certificate cert, Date date)
        throws CertificateExpiredException, CertificateNotYetValidException {
    if (cert != null) {
        if (cert instanceof X509Certificate) {
            X509Certificate xcert = (X509Certificate) cert;
            xcert.checkValidity(date);
        } else if (StringUtils.equals(cert.getType(), "CVC")) {
            CardVerifiableCertificate cvccert = (CardVerifiableCertificate) cert;
            try {
                Date start = cvccert.getCVCertificate().getCertificateBody().getValidFrom();
                Date end = cvccert.getCVCertificate().getCertificateBody().getValidTo();
                if (start.after(date)) {
                    String msg = "Certificate startDate '" + start + "' is after check date '" + date + "'";
                    if (log.isTraceEnabled()) {
                        log.trace(msg);
                    }
                    throw new CertificateNotYetValidException(msg);
                }
                if (end.before(date)) {
                    String msg = "Certificate endDate '" + end + "' is before check date '" + date + "'";
                    if (log.isTraceEnabled()) {
                        log.trace(msg);
                    }
                    throw new CertificateExpiredException(msg);
                }
            } catch (NoSuchFieldException e) {
                log.error("NoSuchFieldException: ", e);
            }
        }
    }
}

From source file:org.ejbca.util.CertTools.java

/** Simple methods that returns the signature algorithm value from the certificate. Not usable for setting
 * signature algorithms names in EJBCA, only for human presentation.
 * //from   w w  w  .j  a  va2  s  .  c om
 * @return Signature algorithm from the certificate as a human readable string, for example SHA1WithRSA.
 */
public static String getCertSignatureAlgorithmAsString(Certificate cert) {
    String certSignatureAlgorithm = null;
    if (cert instanceof X509Certificate) {
        X509Certificate x509cert = (X509Certificate) cert;
        certSignatureAlgorithm = x509cert.getSigAlgName();
        if (log.isDebugEnabled()) {
            log.debug("certSignatureAlgorithm is: " + certSignatureAlgorithm);
        }
    } else if (StringUtils.equals(cert.getType(), "CVC")) {
        CardVerifiableCertificate cvccert = (CardVerifiableCertificate) cert;
        CVCPublicKey cvcpk;
        try {
            cvcpk = cvccert.getCVCertificate().getCertificateBody().getPublicKey();
            OIDField oid = cvcpk.getObjectIdentifier();
            certSignatureAlgorithm = AlgorithmUtil.getAlgorithmName(oid);
        } catch (NoSuchFieldException e) {
            log.error("NoSuchFieldException: ", e);
        }
    }
    // Try to make it easier to display some signature algorithms that cert.getSigAlgName() does not have a good string for.
    if (certSignatureAlgorithm.equalsIgnoreCase("1.2.840.113549.1.1.10")) {
        certSignatureAlgorithm = AlgorithmConstants.SIGALG_SHA256_WITH_RSA_AND_MGF1;
    }
    // SHA256WithECDSA does not work to be translated in JDK5.
    if (certSignatureAlgorithm.equalsIgnoreCase("1.2.840.10045.4.3.2")) {
        certSignatureAlgorithm = AlgorithmConstants.SIGALG_SHA256_WITH_ECDSA;
    }
    return certSignatureAlgorithm;
}

From source file:org.ejbca.util.CertTools.java

/**
 * Dumps a certificate (cvc or x.509) to string format, suitable for manual inspection/debugging.
 *
 * @param cert Certificate// ww  w  .  java 2 s.  co  m
 *
 * @return String with cvc or asn.1 dump.
 */
public static String dumpCertificateAsString(final Certificate cert) {
    String ret = null;
    if (cert instanceof X509Certificate) {
        try {
            final Certificate c = getCertfromByteArray(cert.getEncoded());
            ret = c.toString();
            //             ASN1InputStream ais = new ASN1InputStream(new ByteArrayInputStream(cert.getEncoded()));
            //             DERObject obj = ais.readObject();
            //             ret = ASN1Dump.dumpAsString(obj);
        } catch (CertificateException e) {
            ret = e.getMessage();
        }
    } else if (StringUtils.equals(cert.getType(), "CVC")) {
        final CardVerifiableCertificate cvccert = (CardVerifiableCertificate) cert;
        final CVCObject obj = cvccert.getCVCertificate();
        ret = obj.getAsText("");
    } else {
        throw new IllegalArgumentException(
                "dumpCertificateAsString: Certificate of type " + cert.getType() + " is not implemented");
    }
    return ret;
}

From source file:org.cesecore.util.CertTools.java

/**
 * Method to create certificate path and to check it's validity from a list of certificates. The list of certificates should only contain one root
 * certificate./*from w w w.jav a2s.c  o  m*/
 * 
 * @param certlist
 * @return the certificatepath with the root CA at the end
 * @throws CertPathValidatorException if the certificate chain can not be constructed
 * @throws InvalidAlgorithmParameterException
 * @throws NoSuchProviderException
 * @throws NoSuchAlgorithmException
 * @throws CertificateException
 */
public static List<Certificate> createCertChain(Collection<?> certlistin)
        throws CertPathValidatorException, InvalidAlgorithmParameterException, NoSuchAlgorithmException,
        NoSuchProviderException, CertificateException {
    final List<Certificate> returnval = new ArrayList<Certificate>();

    Collection<Certificate> certlist = orderCertificateChain(certlistin);

    // set certificate chain
    Certificate rootcert = null;
    ArrayList<Certificate> calist = new ArrayList<Certificate>();
    for (Certificate next : certlist) {
        if (CertTools.isSelfSigned(next)) {
            rootcert = next;
        } else {
            calist.add(next);
        }
    }

    if (calist.isEmpty()) {
        // only one root cert, no certchain
        returnval.add(rootcert);
    } else {
        // We need a bit special handling for CV certificates because those can not be handled using a PKIX CertPathValidator
        Certificate test = calist.get(0);
        if (test.getType().equals("CVC")) {
            if (calist.size() == 1) {
                returnval.add(test);
                returnval.add(rootcert);
            } else {
                throw new CertPathValidatorException(
                        "CVC certificate chain can not be of length longer than two.");
            }
        } else {
            // Normal X509 certificates
            HashSet<TrustAnchor> trustancors = new HashSet<TrustAnchor>();
            TrustAnchor trustanchor = null;
            trustanchor = new TrustAnchor((X509Certificate) rootcert, null);
            trustancors.add(trustanchor);

            // Create the parameters for the validator
            PKIXParameters params = new PKIXParameters(trustancors);

            // Disable CRL checking since we are not supplying any CRLs
            params.setRevocationEnabled(false);
            params.setDate(new Date());

            // Create the validator and validate the path
            CertPathValidator certPathValidator = CertPathValidator
                    .getInstance(CertPathValidator.getDefaultType(), "BC");
            CertificateFactory fact = CertTools.getCertificateFactory();
            CertPath certpath = fact.generateCertPath(calist);

            CertPathValidatorResult result = certPathValidator.validate(certpath, params);

            // Get the certificates validate in the path
            PKIXCertPathValidatorResult pkixResult = (PKIXCertPathValidatorResult) result;
            returnval.addAll(certpath.getCertificates());

            // Get the CA used to validate this path
            TrustAnchor ta = pkixResult.getTrustAnchor();
            X509Certificate cert = ta.getTrustedCert();
            returnval.add(cert);
        }
    }
    return returnval;
}

From source file:org.ejbca.util.CertTools.java

/**
 * Gets subject or issuer DN in the format we are sure about (BouncyCastle),supporting UTF8.
 *
 * @param cert X509Certificate//from  w  ww. j a v a2s.  com
 * @param which 1 = subjectDN, anything else = issuerDN
 *
 * @return String containing the DN.
 */
private static String getDN(Certificate cert, int which) {
    /*if (log.isTraceEnabled()) {
       log.trace(">getDN("+which+")");
    }*/
    String ret = null;
    if (cert == null) {
        return null;
    }
    if (cert instanceof X509Certificate) {
        // cert.getType=X.509
        try {
            CertificateFactory cf = CertTools.getCertificateFactory();
            X509Certificate x509cert = (X509Certificate) cf
                    .generateCertificate(new ByteArrayInputStream(cert.getEncoded()));
            //log.debug("Created certificate of class: " + x509cert.getClass().getName());
            String dn = null;
            if (which == 1) {
                dn = x509cert.getSubjectDN().toString();
            } else {
                dn = x509cert.getIssuerDN().toString();
            }
            ret = stringToBCDNString(dn);
        } catch (CertificateException ce) {
            log.info("Could not get DN from X509Certificate. " + ce.getMessage());
            log.debug("", ce);
            return null;
        }
    } else if (StringUtils.equals(cert.getType(), "CVC")) {
        CardVerifiableCertificate cvccert = (CardVerifiableCertificate) cert;
        try {
            ReferenceField rf = null;
            if (which == 1) {
                rf = cvccert.getCVCertificate().getCertificateBody().getHolderReference();
            } else {
                rf = cvccert.getCVCertificate().getCertificateBody().getAuthorityReference();
            }
            if (rf != null) {
                // Construct a "fake" DN which can be used in EJBCA
                // Use only mnemonic and country, since sequence is more of a serialnumber than a DN part
                String dn = "";
                //                if (rf.getSequence() != null) {
                //                   dn += "SERIALNUMBER="+rf.getSequence();
                //                }
                if (rf.getMnemonic() != null) {
                    if (StringUtils.isNotEmpty(dn)) {
                        dn += ", ";
                    }
                    dn += "CN=" + rf.getMnemonic();
                }
                if (rf.getCountry() != null) {
                    if (StringUtils.isNotEmpty(dn)) {
                        dn += ", ";
                    }
                    dn += "C=" + rf.getCountry();
                }
                ret = stringToBCDNString(dn);
            }
        } catch (NoSuchFieldException e) {
            log.error("NoSuchFieldException: ", e);
            return null;
        }
    }
    /*if (log.isTraceEnabled()) {
       log.trace("<getDN("+which+"):"+dn);
    }*/
    return ret;
}

From source file:org.cesecore.util.CertTools.java

/**
 * Gets the signature value (the raw signature bits) from the certificate. For an X509 certificate this is the ASN.1 definition which is:
 * signature BIT STRING//ww w.  ja va2  s.c  o m
 * 
 * @param cert Certificate
 * 
 * @return byte[] containing the certificate signature bits, if cert is null a byte[] of size 0 is returned.
 */
public static byte[] getSignature(Certificate cert) {
    byte[] ret = null;
    if (cert == null) {
        ret = new byte[0];
    } else {
        if (cert instanceof X509Certificate) {
            X509Certificate xcert = (X509Certificate) cert;
            ret = xcert.getSignature();
        } else if (StringUtils.equals(cert.getType(), "CVC")) {
            CardVerifiableCertificate cvccert = (CardVerifiableCertificate) cert;
            try {
                ret = cvccert.getCVCertificate().getSignature();
            } catch (NoSuchFieldException e) {
                log.error("NoSuchFieldException: ", e);
                return null;
            }
        }
    }
    return ret;
}

From source file:org.cesecore.util.CertTools.java

/**
 * Gets Serial number of the certificate.
 * /*from  w w w  .  j a  v a  2 s  .c o  m*/
 * @param cert Certificate
 * 
 * @return BigInteger containing the certificate serial number. Can be 0 for CVC certificates with alphanumeric serial numbers if the sequence
 *         does not contain any number characters at all.
 * @throws IllegalArgumentException if null input of certificate type is not handled
 */
public static BigInteger getSerialNumber(Certificate cert) {
    if (cert == null) {
        throw new IllegalArgumentException("Null input");
    }
    BigInteger ret = null;
    if (cert instanceof X509Certificate) {
        X509Certificate xcert = (X509Certificate) cert;
        ret = xcert.getSerialNumber();
    } else if (StringUtils.equals(cert.getType(), "CVC")) {
        // For CVC certificates the sequence field of the HolderReference is kind of a serial number,
        // but if can be alphanumeric which means it can not be made into a BigInteger
        CardVerifiableCertificate cvccert = (CardVerifiableCertificate) cert;
        try {
            String sequence = cvccert.getCVCertificate().getCertificateBody().getHolderReference()
                    .getSequence();
            ret = getSerialNumberFromString(sequence);
        } catch (NoSuchFieldException e) {
            log.error("getSerialNumber: NoSuchFieldException: ", e);
            ret = BigInteger.valueOf(0);
        }
    } else {
        throw new IllegalArgumentException(
                "getSerialNumber: Certificate of type " + cert.getType() + " is not implemented");
    }
    return ret;
}

From source file:org.cesecore.util.CertTools.java

public static Date getNotBefore(Certificate cert) {
    Date ret = null;/*from  w  ww . ja va  2s.  c o m*/
    if (cert == null) {
        throw new IllegalArgumentException("getNotBefore: cert is null");
    }
    if (cert instanceof X509Certificate) {
        X509Certificate xcert = (X509Certificate) cert;
        ret = xcert.getNotBefore();
    } else if (StringUtils.equals(cert.getType(), "CVC")) {
        CardVerifiableCertificate cvccert = (CardVerifiableCertificate) cert;
        try {
            ret = cvccert.getCVCertificate().getCertificateBody().getValidFrom();
        } catch (NoSuchFieldException e) {
            // it is not uncommon that this field is missing in CVC certificate requests (it's not in the EAC standard so)
            log.debug("NoSuchFieldException: " + e.getMessage());
            return null;
        }
    }
    return ret;
}