Example usage for java.security.cert X509Certificate getCriticalExtensionOIDs

List of usage examples for java.security.cert X509Certificate getCriticalExtensionOIDs

Introduction

In this page you can find the example usage for java.security.cert X509Certificate getCriticalExtensionOIDs.

Prototype

public Set<String> getCriticalExtensionOIDs();

Source Link

Document

Gets a Set of the OID strings for the extension(s) marked CRITICAL in the certificate/CRL managed by the object implementing this interface.

Usage

From source file:com.otterca.common.crypto.acceptance.X509CertificateBuilderAcceptanceTest.java

/**
 * Test builder with 'inhibitAnyPolicy'.
 * /* w w w  . ja  va  2 s .  c  o  m*/
 * @throws Exception
 */
@Test
public void testInhibitAnyPolicy() throws GeneralSecurityException {
    // make sure there's no extension by default
    populate(builder);
    X509Certificate cert = builder.build(keyPair.getPrivate());

    assertFalse(cert.getCriticalExtensionOIDs().contains(INHIBIT_ANY_POLICY_OID),
            "certificate contains unexpected InhibitAnyPolicy extension");
    assertNull(certUtil.getInhibitAnyPolicy(cert));

    // test with final cert - should be removed
    builder.reset();
    populate(builder);
    builder.setInhibitAnyPolicy(6);
    cert = builder.build(keyPair.getPrivate());

    assertFalse(cert.getCriticalExtensionOIDs().contains(INHIBIT_ANY_POLICY_OID),
            "certificate contains unexpected InhibitAnyPolicy extension");
    assertNull(certUtil.getInhibitAnyPolicy(cert));

    // now try it with CA cert - should work.
    builder.reset();
    populate(builder);
    builder.setBasicConstraints(true);
    builder.setInhibitAnyPolicy(6);
    cert = builder.build(keyPair.getPrivate());
    assertTrue(cert.getCriticalExtensionOIDs().contains(INHIBIT_ANY_POLICY_OID),
            "certificate does not contain expected InhibitAnyPolicy extension");
    assertEquals(certUtil.getInhibitAnyPolicy(cert), Integer.valueOf(6));

    // TODO also check behavior when issuer has inhibit any policy set.
}

From source file:net.sf.jsignpdf.utils.KeyStoreUtils.java

/**
 * Returns list of key aliases in given keystore.
 * /*from  w  ww  .ja  v  a2s.  c  o m*/
 * @param aKs
 * @param options
 * @return
 */
private static List<String> getAliasesList(final KeyStore aKs, final BasicSignerOptions options) {
    if (options == null) {
        throw new NullPointerException("Options are empty.");
    }
    if (aKs == null) {
        throw new NullPointerException(RES.get("error.keystoreNull"));
    }
    final List<String> tmpResult = new ArrayList<String>();
    try {
        LOGGER.info(RES.get("console.getAliases"));
        final Enumeration<String> tmpAliases = aKs.aliases();
        final boolean checkValidity = ConfigProvider.getInstance().getAsBool("certificate.checkValidity", true);
        final boolean checkKeyUsage = ConfigProvider.getInstance().getAsBool("certificate.checkKeyUsage", true);
        final boolean checkCriticalExtensions = ConfigProvider.getInstance()
                .getAsBool("certificate.checkCriticalExtensions", true);
        while (tmpAliases.hasMoreElements()) {
            String tmpAlias = tmpAliases.nextElement();
            if (aKs.isKeyEntry(tmpAlias)) {
                final Certificate tmpCert = aKs.getCertificate(tmpAlias);
                boolean tmpAddAlias = true;
                if (tmpCert instanceof X509Certificate) {
                    final X509Certificate tmpX509 = (X509Certificate) tmpCert;
                    if (checkValidity) {
                        try {
                            tmpX509.checkValidity();
                        } catch (CertificateExpiredException e) {
                            LOGGER.info(RES.get("console.certificateExpired", tmpAlias));
                            tmpAddAlias = false;
                        } catch (CertificateNotYetValidException e) {
                            LOGGER.info(RES.get("console.certificateNotYetValid", tmpAlias));
                            tmpAddAlias = false;
                        }
                    }
                    if (checkKeyUsage) {
                        // check if the certificate is supposed to be
                        // used for digital signatures
                        final boolean keyUsage[] = tmpX509.getKeyUsage();
                        if (keyUsage != null && keyUsage.length > 0) {
                            // KeyUsage ::= BIT STRING {
                            // digitalSignature (0),
                            // nonRepudiation (1),
                            // keyEncipherment (2),
                            // dataEncipherment (3),
                            // keyAgreement (4),
                            // keyCertSign (5),
                            // cRLSign (6),
                            // encipherOnly (7),
                            // decipherOnly (8) }
                            if (!(keyUsage[0] || keyUsage[1])) {
                                LOGGER.info(RES.get("console.certificateNotForSignature", tmpAlias));
                                tmpAddAlias = false;
                            }
                        }
                    }
                    // check critical extensions
                    if (checkCriticalExtensions) {
                        final Set<String> criticalExtensionOIDs = tmpX509.getCriticalExtensionOIDs();
                        if (criticalExtensionOIDs != null) {
                            for (String oid : criticalExtensionOIDs) {
                                if (!Constants.SUPPORTED_CRITICAL_EXTENSION_OIDS.contains(oid)) {
                                    LOGGER.info(
                                            RES.get("console.criticalExtensionNotSupported", tmpAlias, oid));
                                    tmpAddAlias = false;
                                }
                            }
                        }
                    }
                }
                if (tmpAddAlias) {
                    tmpResult.add(tmpAlias);
                }
            }
        }
    } catch (Exception e) {
        LOGGER.error(RES.get("console.exception"), e);
    }
    return tmpResult;
}

From source file:org.apache.directory.studio.connection.ui.widgets.CertificateInfoComposite.java

private void populateExtensions(final TreeItem extensionsItem, final X509Certificate certificate,
        boolean critical) {
    Set<String> oids = critical ? certificate.getCriticalExtensionOIDs()
            : certificate.getNonCriticalExtensionOIDs();

    if (oids != null) {
        for (String oid : oids) {
            // try to parse the extension value byte[] to an ASN1 object
            byte[] extensionValueBin = certificate.getExtensionValue(oid);
            String extensionValue = null;

            try {
                ASN1Object extension = X509ExtensionUtil.fromExtensionValue(extensionValueBin);
                extensionValue = extension.toString();
            } catch (IOException e) {
                extensionValue = new String(Hex.encodeHex(extensionValueBin));
            }//from   w ww .jav  a 2s  .  c om

            String value = Messages.getString("CertificateInfoComposite.ExtensionOIDColon") + oid + '\n'; //$NON-NLS-1$
            value += Messages.getString("CertificateInfoComposite.CriticalColon") + Boolean.toString(critical) //$NON-NLS-1$
                    + '\n';
            value += Messages.getString("CertificateInfoComposite.ExtensionValueColon") + extensionValue + '\n'; //$NON-NLS-1$

            // TODO: OID descriptions
            // TODO: formatting of extension value
            TreeItem item = createTreeItem(extensionsItem, oid, value);
            createTreeItem(item, Messages.getString("CertificateInfoComposite.ExtensionOID"), oid); //$NON-NLS-1$
            createTreeItem(item, Messages.getString("CertificateInfoComposite.Critical"), //$NON-NLS-1$
                    Boolean.toString(critical));
            createTreeItem(item, Messages.getString("CertificateInfoComposite.ExtensionValue"), extensionValue); //$NON-NLS-1$
        }
    }
}

From source file:org.ejbca.ui.cli.HSMKeyTool.java

private static boolean doIt(final String[] orgArgs) throws Exception {
    // Get and remove optional switches
    final List<String> argsList = CliTools.getAsModifyableList(orgArgs);
    final KeyStore.ProtectionParameter protectionParameter;
    final String password = CliTools.getAndRemoveParameter("-password", argsList);
    if (password != null) {
        protectionParameter = new KeyStore.PasswordProtection(password.toCharArray());
    } else {/*  w  w  w .  ja  va 2 s.  co m*/
        protectionParameter = null;
    }
    final String[] args = CliTools.getAsArgs(argsList);
    if (args[1].toLowerCase().trim().contains(GENERATE_BATCH_SWITCH)) {
        if (args.length < 4) {
            printCommandString(args, "<name of batch file> [", TOKEN_ID_PARAM, "]");
            printTokenIdDescription();
            sunConfigFileUseDescription();
            System.err.println(
                    "The batch file is a file which specifies alias and key specification for each key to be generated.");
            System.err
                    .println("Each row is starting with a key alias then the key specification is following.");
            System.err.println("The specification of the key is done like this: " + KEY_SPEC_DESC);
            tooFewArguments(args);
        }
        final String storeId;
        final Pkcs11SlotLabelType slotType;
        if (args.length > 4) {
            storeId = trimStoreId(args[4]);
            slotType = getTokenLabelType(args[4]);
        } else {
            storeId = null;
            slotType = Pkcs11SlotLabelType.SUN_FILE;
        }
        final KeyStoreTools store = KeyStoreToolsFactory.getInstance(args[2], storeId, slotType, null,
                protectionParameter, "batch-" + new Date().getTime());
        generateBatch(args[3], store);
        return true;
    }
    if (args[1].toLowerCase().trim().contains(GENERATE_SWITCH)) {
        if (args.length < 4) {
            printCommandString(args, Character.valueOf('<'), KEY_SPEC_DESC, "> <key entry name> [",
                    TOKEN_ID_PARAM, "]");
            printTokenIdDescription();
            sunConfigFileUseDescription();
            tooFewArguments(args);
        }
        final String keyEntryName = args.length > 4 ? args[4] : "myKey";
        final String storeId;
        final Pkcs11SlotLabelType slotType;
        if (args.length > 5) {
            storeId = trimStoreId(args[5]);
            slotType = getTokenLabelType(args[5]);
        } else {
            storeId = null;
            slotType = Pkcs11SlotLabelType.SUN_FILE;
        }
        System.out.println("Using Slot Reference Type: " + slotType + '.');
        final KeyStoreTools store = KeyStoreToolsFactory.getInstance(args[2], storeId, slotType, null,
                protectionParameter, "priv-" + keyEntryName);
        store.generateKeyPair(args[3], keyEntryName);
        System.out.println("Created certificate with entry " + keyEntryName + '.');
        return true;
    }
    if (args[1].toLowerCase().trim().equals(DELETE_SWITCH)) {
        if (args.length < 4) {
            printCommandString(args, TOKEN_ID_PARAM, " [<key entry name>]");
            printTokenIdDescription();
            tooFewArguments(args);
        }
        final String alias = args.length > 4 ? args[4] : null;
        System.out.println("Deleting certificate with alias " + alias + '.');
        final String storeId = trimStoreId(args[3]);
        final Pkcs11SlotLabelType slotType = getTokenLabelType(args[3]);

        KeyStoreToolsFactory.getInstance(args[2], storeId, slotType, null, protectionParameter)
                .deleteEntry(alias);
        return true;
    }
    if (args[1].toLowerCase().trim().equals(CERT_REQ)) {
        // First we check if we have a switch for "-explicitecc" for explicit ecc parameters used in ICAO epassports.
        final List<String> argsListLocal = CliTools.getAsModifyableList(args);
        final boolean explicitEccParameters = argsListLocal.remove("-explicitecc");
        final boolean forAllKeys = argsListLocal.remove("-all");
        final String modArgs[] = argsListLocal.toArray(new String[argsListLocal.size()]);
        if (modArgs.length < 4 || (modArgs.length < 5 && !forAllKeys)) {
            printCommandString(args, TOKEN_ID_PARAM, " <key entry name> [<CN>] [-explicitecc]");
            printCommandString(args, TOKEN_ID_PARAM, " [-all] [-explicitecc]");
            printTokenIdDescription();
            tooFewArguments(modArgs);
        }
        final String storeId = trimStoreId(modArgs[3]);
        final Pkcs11SlotLabelType slotType = getTokenLabelType(modArgs[3]);
        final KeyStoreTools container = KeyStoreToolsFactory.getInstance(modArgs[2], storeId, slotType, null,
                protectionParameter);
        final List<String> entries;
        if (forAllKeys) {
            entries = new LinkedList<>();
            final CachingKeyStoreWrapper ks = container.getKeyStore();
            final Enumeration<String> aliases = ks.aliases();
            while (aliases.hasMoreElements()) {
                final String alias = aliases.nextElement();
                if (ks.isKeyEntry(alias)) {
                    entries.add(alias);
                }
            }
        } else {
            entries = Collections.singletonList(modArgs[4]);
        }

        for (String entry : entries) {
            container.generateCertReq(entry, modArgs.length > 5 ? modArgs[5] : null, explicitEccParameters);
        }
        return true;
    }
    if (args[1].toLowerCase().trim().equals(INSTALL_CERT)) {
        if (args.length < 5) {
            printCommandString(args, TOKEN_ID_PARAM,
                    " <certificate chain files in PEM format (one chain per file)>");
            printTokenIdDescription();
            tooFewArguments(args);
        }
        final String storeId = trimStoreId(args[3]);
        final Pkcs11SlotLabelType slotType = getTokenLabelType(args[3]);
        final KeyStoreTools container = KeyStoreToolsFactory.getInstance(args[2], storeId, slotType, null,
                protectionParameter);
        boolean failure = false;
        for (int i = 4; i < args.length; i++) {
            try {
                container.installCertificate(args[i]);
            } catch (Exception ex) {
                failure = true;
                log.error("File " + args[i] + " failed.", ex);
            }
        }
        if (failure) {
            throw new Exception("At least one certificate could not be installed. See the log for more info.");
        }
        return true;
    }
    if (args[1].toLowerCase().trim().equals(INSTALL_TRUSTED_ROOT)) {
        if (args.length < 5) {
            printCommandString(args, TOKEN_ID_PARAM, " <trusted root certificate in PEM format>");
            printTokenIdDescription();
            tooFewArguments(args);
        }
        final String storeId = trimStoreId(args[3]);
        final Pkcs11SlotLabelType slotType = getTokenLabelType(args[3]);
        KeyStoreToolsFactory.getInstance(args[2], storeId, slotType, null, protectionParameter)
                .installTrustedRoot(args[4]);
        return true;
    }
    if (args[1].toLowerCase().trim().equals(ENCRYPT_SWITCH)) {
        String symmAlgOid = CMSEnvelopedGenerator.AES128_CBC;
        if (args.length < 5) {
            System.err.println("There are two ways of doing the encryption:");
            printCommandString(args, TOKEN_ID_PARAM,
                    " <input file> <output file> <key alias> [optional symm algorithm oid]");
            printCommandStringNoSharedLib(args,
                    "<input file> <output file> <file with certificate with public key to use> [optional symm algorithm oid]");
            printTokenIdDescription();
            System.err.println(
                    "Optional symmetric encryption algorithm OID can be for example 2.16.840.1.101.3.4.1.42 (AES256_CBC) or 1.2.392.200011.61.1.1.1.4 (CAMELLIA256_CBC). Default is to use AES256_CBC.");
            tooFewArguments(args);
        }
        if (args.length < 7) {
            Security.addProvider(new BouncyCastleProvider());
            if (args.length > 5) {
                // We have a symmAlg as last parameter
                symmAlgOid = args[5];
            }
            System.out.println("Using symmetric encryption algorithm: " + symmAlgOid);
            try (final InputStream certIS = new FileInputStream(args[4]);
                    final InputStream is = new FileInputStream(args[2]);
                    final OutputStream os = new FileOutputStream(args[3])) {
                final X509Certificate cert = (X509Certificate) CertificateFactory.getInstance("X.509")
                        .generateCertificate(new BufferedInputStream(certIS));
                CMS.encrypt(is, os, cert, symmAlgOid);
            }
        } else {
            if (args.length > 7) {
                // We have a symmAlg as last parameter
                symmAlgOid = args[7];
            }
            System.out.println("Using symmstric encryption algorithm: " + symmAlgOid);
            final String storeId = trimStoreId(args[3]);
            final Pkcs11SlotLabelType slotType = getTokenLabelType(args[3]);
            try (final InputStream is = new FileInputStream(args[4]);
                    final OutputStream os = new FileOutputStream(args[5]);) {
                final Certificate cert = KeyStoreToolsFactory
                        .getInstance(args[2], storeId, slotType, null, protectionParameter).getKeyStore()
                        .getCertificate(args[6]);
                CMS.encrypt(is, os, (X509Certificate) cert, symmAlgOid);
            }
        }
        return true;
    }
    if (args[1].toLowerCase().trim().equals(DECRYPT_SWITCH)) {
        if (args.length < 7) {
            printCommandString(args, TOKEN_ID_PARAM, " <input file> <output file> <key alias>");
            printTokenIdDescription();
            tooFewArguments(args);
        }
        final String storeId = trimStoreId(args[3]);
        final Pkcs11SlotLabelType slotType = getTokenLabelType(args[3]);
        try (final InputStream is = new FileInputStream(args[4]);
                final OutputStream os = new FileOutputStream(args[5])) {
            final KeyStoreTools keyStore = KeyStoreToolsFactory.getInstance(args[2], storeId, slotType, null,
                    protectionParameter);
            CMS.decrypt(is, os, (PrivateKey) keyStore.getKeyStore().getKey(args[6], null),
                    keyStore.getProviderName());
        }
        return true;
    }
    if (args[1].toLowerCase().trim().equals(SIGN_SWITCH)) {
        if (args.length < 7) {
            printCommandString(args, TOKEN_ID_PARAM, " <input file> <output file> <key alias>");
            printTokenIdDescription();
            tooFewArguments(args);
        }
        final String storeId = trimStoreId(args[3]);
        final Pkcs11SlotLabelType slotType = getTokenLabelType(args[3]);
        final KeyStoreTools keyStore = KeyStoreToolsFactory.getInstance(args[2], storeId, slotType, null,
                protectionParameter);
        final String alias = args[6];
        final PrivateKey key = (PrivateKey) keyStore.getKeyStore().getKey(alias, null);
        final X509Certificate cert = (X509Certificate) keyStore.getKeyStore().getCertificate(alias);
        try (final InputStream is = new FileInputStream(args[4]);
                final OutputStream os = new FileOutputStream(args[5]);) {
            CMS.sign(is, os, key, keyStore.getProviderName(), cert);
        }
        return true;
    }
    if (args[1].toLowerCase().trim().equals(LINKCERT_SWITCH)) {
        if (args.length < 8) {
            printCommandString(args, TOKEN_ID_PARAM,
                    " <old ca-cert> <new ca-cert> <output link-cert> <key alias> [<sig alg override>]");
            printTokenIdDescription();
            System.err.println();
            System.err.println("Creates a link certificate that links the old and new certificate files.");
            System.err.println("You should use this command with the old HSM key. It does not need any");
            System.err.println("access to the new key.");
            System.err.println();
            tooFewArguments(args);
        }
        final String storeId = trimStoreId(args[3]);
        final Pkcs11SlotLabelType slotType = getTokenLabelType(args[3]);
        final KeyStoreTools ksc = KeyStoreToolsFactory.getInstance(args[2], storeId, slotType, null,
                protectionParameter);
        final String alias = args[7];
        final String oldCertPath = args[4];
        final String newCertPath = args[5];
        final String outputPath = args[6];
        final String signProviderName = ksc.getProviderName();
        final String sigAlgOverride = (args.length > 8 ? args[8] : "null");

        // Parse certificates
        final byte[] oldCertBytes;
        try (final InputStream is = new FileInputStream(oldCertPath)) {
            oldCertBytes = IOUtils.toByteArray(is);
        }
        final byte[] newCertBytes;
        try (final InputStream is = new FileInputStream(newCertPath)) {
            newCertBytes = IOUtils.toByteArray(is);
        }
        final Certificate oldCert = CertTools.getCertfromByteArray(oldCertBytes,
                BouncyCastleProvider.PROVIDER_NAME, Certificate.class);
        final Certificate newCert = CertTools.getCertfromByteArray(newCertBytes,
                BouncyCastleProvider.PROVIDER_NAME, Certificate.class);
        final boolean isCVCA = (oldCert instanceof CardVerifiableCertificate);
        if (isCVCA != (newCert instanceof CardVerifiableCertificate)) {
            log.error("Error: Old and new certificates are not of the same type (X509 / CVC)");
            return true; // = valid command-line syntax
        }
        System.out.println("Type of certificates: " + (isCVCA ? "CVC" : "X509"));

        // Detect name change
        final String oldDN = CertTools.getSubjectDN(oldCert);
        final String newDN = CertTools.getSubjectDN(newCert);
        System.out.println("Old DN: " + oldDN);
        System.out.println("New DN: " + newDN);
        final boolean nameChange;
        if (!oldDN.equals(newDN)) {
            if (isCVCA) {
                System.out.println("Name change detected.");
            } else {
                System.out.println("Name change detected. Will add Name Change extension.");
            }
            nameChange = true;
        } else {
            System.out.println("No name change detected.");
            nameChange = false;
        }

        final ByteArrayOutputStream baos = new ByteArrayOutputStream();

        // Get new and old key
        final PublicKey newPubKey = newCert.getPublicKey();
        if (newPubKey == null) {
            System.err.println("Error: Failed to extract public key from new certificate");
            return true;
        }
        final Key oldKey = ksc.getKeyStore().getKey(alias, null);
        if (oldKey == null) {
            System.err.println("Error: Could not find the key named " + alias);
            return true;
        }
        final PrivateKey oldPrivKey = (PrivateKey) oldKey;

        if (isCVCA) {
            final CVCertificate oldCertCVC = ((CardVerifiableCertificate) oldCert).getCVCertificate();
            final CVCertificate newCertCVC = ((CardVerifiableCertificate) newCert).getCVCertificate();

            final String linkSigAlg;
            if (sigAlgOverride.equalsIgnoreCase("null")) {
                final OIDField oldKeyTypeOid = oldCertCVC.getCertificateBody().getPublicKey()
                        .getObjectIdentifier();
                linkSigAlg = AlgorithmUtil.getAlgorithmName(oldKeyTypeOid);
            } else {
                System.err.println("Error: Overriding the signature algorithm is not supported for CVC");
                return true;
            }
            System.out.println("Using signature algorithm " + linkSigAlg);

            final HolderReferenceField caHolder = oldCertCVC.getCertificateBody().getHolderReference();
            final CAReferenceField caRef = new CAReferenceField(caHolder.getCountry(), caHolder.getMnemonic(),
                    caHolder.getSequence());
            final HolderReferenceField certHolder = newCertCVC.getCertificateBody().getHolderReference();
            final AuthorizationRole authRole = newCertCVC.getCertificateBody().getAuthorizationTemplate()
                    .getAuthorizationField().getAuthRole();
            final AccessRights rights = newCertCVC.getCertificateBody().getAuthorizationTemplate()
                    .getAuthorizationField().getAccessRights();
            final Date validFrom = new Date(new Date().getTime() - 60L * 15L * 1000L); // back date by 15 minutes to allow for clock skew
            final Date validTo = oldCertCVC.getCertificateBody().getValidTo();

            final CVCertificate linkCert = CertificateGenerator.createCertificate(newPubKey, oldPrivKey,
                    linkSigAlg, caRef, certHolder, authRole, rights, validFrom, validTo, signProviderName);
            try (final DataOutputStream dos = new DataOutputStream(baos)) {
                linkCert.encode(dos);
            }
        } else {
            // X509 CA
            final X509Certificate oldCertX509 = (X509Certificate) oldCert;
            final X509Certificate newCertX509 = (X509Certificate) newCert;

            final String linkSigAlg;
            if (sigAlgOverride.equalsIgnoreCase("null")) {
                // Actually, we should use signature algorithm of new cert if the old key allows that.
                // Instead of doing that we allow the user to manually override the signature algorithm if needed.
                linkSigAlg = oldCertX509.getSigAlgName();
            } else {
                System.err.println("Warning: Signature algorithm manually overridden!");
                linkSigAlg = sigAlgOverride;
            }
            System.out.println("Using signature algorithm " + linkSigAlg);

            final BigInteger serno = SernoGeneratorRandom.instance().getSerno();
            final SubjectPublicKeyInfo pkinfo = SubjectPublicKeyInfo.getInstance(newPubKey.getEncoded());
            final Date validFrom = new Date(new Date().getTime() - 60L * 15L * 1000L); // back date by 15 minutes to allow for clock skew
            final Date validTo = oldCertX509.getNotAfter();

            final X500Name oldDNName = X500Name.getInstance(oldCertX509.getSubjectX500Principal().getEncoded());
            final X500Name newDNName = X500Name.getInstance(newCertX509.getSubjectX500Principal().getEncoded());

            final X509v3CertificateBuilder certbuilder = new X509v3CertificateBuilder(oldDNName, serno,
                    validFrom, validTo, newDNName, pkinfo);

            // Copy all extensions except AKID
            final ExtensionsGenerator extgen = new ExtensionsGenerator();
            final Set<String> oids = new LinkedHashSet<>();
            final Set<String> criticalOids = newCertX509.getCriticalExtensionOIDs();
            oids.addAll(criticalOids);
            oids.addAll(newCertX509.getNonCriticalExtensionOIDs());
            for (final String extOidStr : oids) {
                final ASN1ObjectIdentifier extoid = new ASN1ObjectIdentifier(extOidStr);
                if (!extoid.equals(Extension.authorityKeyIdentifier)) {
                    final byte[] extbytes = newCertX509.getExtensionValue(extOidStr);
                    final ASN1OctetString str = (ASN1OctetString) ASN1Primitive.fromByteArray(extbytes);
                    extgen.addExtension(extoid, criticalOids.contains(extOidStr),
                            ASN1Primitive.fromByteArray(str.getOctets()));
                }
            }

            if (nameChange) {
                // id-icao-mrtd-security-extensions-nameChange = 2.23.136.1.1.6.1
                extgen.addExtension(ICAOObjectIdentifiers.id_icao_extensions_namechangekeyrollover, false,
                        DERNull.INSTANCE);
            }

            // Some checks
            if (newCertX509.getExtensionValue(Extension.subjectKeyIdentifier.getId()) == null) {
                System.err.println(
                        "Warning: Certificate of new CSCA is missing the Subject Key Identifier extension, which is mandatory.");
            }
            if (newCertX509.getExtensionValue(Extension.authorityKeyIdentifier.getId()) == null) {
                System.err.println(
                        "Warning: Certificate of new CSCA is missing the Authority Key Identifier extension, which is mandatory.");
            }

            // If the new cert has an AKID, then add that extension but with the key id value of the old cert
            final byte[] oldSKIDBytes = oldCertX509.getExtensionValue(Extension.subjectKeyIdentifier.getId());
            if (oldSKIDBytes != null) {
                final ASN1OctetString str = (ASN1OctetString) ASN1Primitive.fromByteArray(oldSKIDBytes);
                final ASN1OctetString innerStr = (ASN1OctetString) ASN1Primitive.fromByteArray(str.getOctets());
                final AuthorityKeyIdentifier akidExt = new AuthorityKeyIdentifier(innerStr.getOctets());
                extgen.addExtension(Extension.authorityKeyIdentifier, false, akidExt);
            } else {
                System.err.println(
                        "Warning: The old certificate doesn't have any SubjectKeyIdentifier. The link certificate will not have any AuthorityKeyIdentifier.");
            }

            // Add extensions to the certificate
            final Extensions exts = extgen.generate();
            for (final ASN1ObjectIdentifier extoid : exts.getExtensionOIDs()) {
                final Extension ext = exts.getExtension(extoid);
                certbuilder.addExtension(extoid, ext.isCritical(), ext.getParsedValue());
            }

            // Sign the certificate
            final ContentSigner signer = new BufferingContentSigner(
                    new JcaContentSignerBuilder(linkSigAlg).setProvider(signProviderName).build(oldPrivKey),
                    20480);
            final X509CertificateHolder certHolder = certbuilder.build(signer);
            baos.write(certHolder.getEncoded());

            // Save to output file
            try (final FileOutputStream fos = new FileOutputStream(outputPath)) {
                baos.writeTo(fos);
            }
        }
        return true;
    }
    if (args[1].toLowerCase().trim().equals(VERIFY_SWITCH)) {
        final CMS.VerifyResult verifyResult;
        if (args.length < 5) {
            System.err.println("There are two ways of doing the encryption:");
            printCommandString(args, TOKEN_ID_PARAM, " <input file> <output file> <key alias>");
            printTokenIdDescription();
            printCommandStringNoSharedLib(args,
                    "<input file> <output file> <file with certificate with public key to use>");
            tooFewArguments(args);
        }
        if (args.length < 7) {
            Security.addProvider(new BouncyCastleProvider());
            try (final InputStream certIS = new FileInputStream(args[4]);
                    final InputStream is = new FileInputStream(args[2]);
                    final OutputStream os = new FileOutputStream(args[3]);) {
                final X509Certificate cert = (X509Certificate) CertificateFactory.getInstance("X.509")
                        .generateCertificate(new BufferedInputStream(certIS));
                verifyResult = CMS.verify(is, os, cert);
            }
        } else {
            final String storeId = trimStoreId(args[3]);
            final Pkcs11SlotLabelType slotType = getTokenLabelType(args[3]);
            final KeyStoreTools keyStore = KeyStoreToolsFactory.getInstance(args[2], storeId, slotType, null,
                    protectionParameter);
            final X509Certificate cert = (X509Certificate) keyStore.getKeyStore().getCertificate(args[6]);
            try (final InputStream is = new FileInputStream(args[4]);
                    final OutputStream os = new FileOutputStream(args[5])) {
                verifyResult = CMS.verify(is, os, cert);
            }
        }
        if (verifyResult == null) {
            System.err.println("Not possible to parse signed file.");
            System.exit(4); // Not verifying // NOPMD, it's not a JEE app
            return false;//will never be executes. just to avoid warning.
        }
        System.out.println(
                "The signature of the input " + (verifyResult.isVerifying ? "has been" : "could not be")
                        + " verified. The file was signed on '" + verifyResult.signDate
                        + "'. The public part of the signing key is in a certificate with serial number "
                        + verifyResult.signerId.getSerialNumber() + " issued by '"
                        + verifyResult.signerId.getIssuer() + "'.");
        if (!verifyResult.isVerifying) {
            System.exit(4); // Not verifying // NOPMD, it's not a JEE app
        }
        return true;
    }
    if (args[1].toLowerCase().trim().equals(TEST_SWITCH)) {
        if (args.length < 4) {
            printCommandString(args, TOKEN_ID_PARAM,
                    " [<'m:n' m # of threads, n # of tests>] [<alias for stress test>] [<type of stress test>]");
            printTokenIdDescription();
            System.err.println(
                    "    If a file named \"./testData\" exists then the data that is signed, is read from this file.");
            tooFewArguments(args);
        }
        final String storeId = trimStoreId(args[3]);
        final Pkcs11SlotLabelType slotType = getTokenLabelType(args[3]);
        final NrOfThreadsAndNrOfTests notanot = new NrOfThreadsAndNrOfTests(args.length > 4 ? args[4] : null);
        KeyStoreContainerTest.test(args[2], storeId, slotType, notanot.threads, notanot.tests,
                args.length > 5 ? args[5].trim() : null, args.length > 6 ? args[6].trim() : null,
                protectionParameter);
        return true;
    }
    if (args[1].toLowerCase().trim().equals(RENAME)) {
        if (args.length < 6) {
            printCommandString(args, TOKEN_ID_PARAM, " <old key alias> <new key alias>");
            printTokenIdDescription();
            tooFewArguments(args);
        }
        final String storeId = trimStoreId(args[3]);
        final Pkcs11SlotLabelType slotType = getTokenLabelType(args[3]);
        final KeyStoreTools keyStore = KeyStoreToolsFactory.getInstance(args[2], storeId, slotType, null,
                protectionParameter);

        keyStore.renameEntry(args[4], args[5]);
        return true;
    }
    if (args[1].toLowerCase().trim().equals(MOVE_SWITCH)) {
        if (args.length < 5) {
            printCommandString(args, "<from PKCS#11 token identifier> <to PKCS#11 token identifier>");
            printTokenIdDescription();
            tooFewArguments(args);
        }
        final KeyStoreTools fromKS = KeyStoreToolsFactory.getInstance(args[2], trimStoreId(args[3]),
                getTokenLabelType(args[3]), null, protectionParameter);
        final KeyStoreTools toKS = KeyStoreToolsFactory.getInstance(args[2], trimStoreId(args[4]),
                getTokenLabelType(args[4]), null, protectionParameter);
        System.out.println("Moving entry with alias '" + args[3] + "' to alias '" + args[4] + '.');
        final Enumeration<String> e = fromKS.getKeyStore().aliases();
        while (e.hasMoreElements()) {
            final String alias = e.nextElement();
            if (fromKS.getKeyStore().isKeyEntry(alias)) {
                final Key key = fromKS.getKeyStore().getKey(alias, null);
                final Certificate chain[] = fromKS.getKeyStore().getCertificateChain(alias);
                toKS.setKeyEntry(alias, key, chain);
            }
            fromKS.getKeyStore().deleteEntry(alias);
        }
        fromKS.getKeyStore().store(null, null);
        toKS.getKeyStore().store(null, null);
        return true;
    }
    return false;
}

From source file:org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler.java

private boolean isExtensionMarkedCritical(final X509Certificate certificate, final String oid) {
    final Set<String> criticalOids = certificate.getCriticalExtensionOIDs();

    if (criticalOids == null || criticalOids.isEmpty()) {
        return false;
    }// w  ww .j a v a  2  s  .c o m

    return criticalOids.contains(oid);
}

From source file:org.metaeffekt.dcc.commons.pki.CertificateManager.java

protected void copyExtension(final ASN1ObjectIdentifier extensionType, X509Certificate issuerCertificate,
        List<Extension> extensions) {
    final byte[] encodedAttribute = issuerCertificate.getExtensionValue(extensionType.getId());
    ASN1OctetString data = ASN1OctetString.getInstance(encodedAttribute);
    boolean isCritical = issuerCertificate.getCriticalExtensionOIDs().contains(extensionType.getId());
    if (encodedAttribute != null) {
        extensions.add(new Extension(extensionType, isCritical, data));
    }// ww  w .  j a  va2s. co m
}

From source file:org.signserver.admin.gui.ViewCertificateFrame.java

private void viewCertificate(final X509Certificate certificate) {
    this.certificate = certificate;
    if (certificate == null) {
        fields = null;/*w  w w .  java 2  s  . com*/

    } else {
        fields = new ArrayList<Field>();

        fields.add(new Field("Version", String.valueOf(certificate.getVersion())));
        fields.add(new Field("Serial Number", certificate.getSerialNumber().toString(16)));
        fields.add(new Field("Certificate Signature Algorithm", String.valueOf(certificate.getSigAlgName())));
        fields.add(new Field("Issuer", String.valueOf(certificate.getIssuerDN())));
        fields.add(new Field("Validity Not Before", String.valueOf(certificate.getNotBefore())));
        fields.add(new Field("Validity Not After", String.valueOf(certificate.getNotAfter())));
        fields.add(new Field("Subject", String.valueOf(certificate.getSubjectDN())));
        fields.add(new Field("Subject Public Key Algorithm",
                String.valueOf(certificate.getPublicKey().getAlgorithm())));
        fields.add(new Field("Subject's Public Key",
                new String(Hex.encode(certificate.getPublicKey().getEncoded()))));
        if (certificate.getCriticalExtensionOIDs() != null) {
            for (String extensionOid : certificate.getCriticalExtensionOIDs()) {
                fields.add(new Field("Critical extension: " + extensionOid, "<Not supported yet>"));
            }
        }
        if (certificate.getNonCriticalExtensionOIDs() != null) {
            for (String extensionOid : certificate.getNonCriticalExtensionOIDs()) {
                fields.add(new Field("Non critical extension: " + extensionOid, "<Not supported yet>"));
            }
        }
        fields.add(new Field("Certificate Signature Algorithm", String.valueOf(certificate.getSigAlgName())));
        fields.add(
                new Field("Certificate Signature Value", new String(Hex.encode(certificate.getSignature()))));

        fieldsList.setModel(new AbstractListModel() {

            @Override
            public int getSize() {
                return fields.size();
            }

            @Override
            public Object getElementAt(int index) {
                return fields.get(index);
            }
        });
    }
}