List of usage examples for java.security.cert X509Certificate getExtensionValue
public byte[] getExtensionValue(String oid);
From source file:eu.europa.ec.markt.dss.validation.crl.OnlineCRLSource.java
/** * Gives back the CRL URI meta-data found within the given X509 certificate. * * @param certificate the X509 certificate. * @return the CRL URI, or <code>null</code> if the extension is not present. * @throws MalformedURLException//from w w w. j av a 2s. c o m */ public String getCrlUri(X509Certificate certificate) throws DSSException { final byte[] crlDistributionPointsValue = certificate .getExtensionValue(X509Extension.cRLDistributionPoints.getId()); if (null == crlDistributionPointsValue) { return null; } ASN1InputStream ais1 = null; ASN1InputStream ais2 = null; try { List<String> urls = new ArrayList<String>(); final ByteArrayInputStream bais = new ByteArrayInputStream(crlDistributionPointsValue); ais1 = new ASN1InputStream(bais); final DEROctetString oct = (DEROctetString) (ais1.readObject()); ais2 = new ASN1InputStream(oct.getOctets()); final ASN1Sequence seq = (ASN1Sequence) ais2.readObject(); final CRLDistPoint distPoint = CRLDistPoint.getInstance(seq); final DistributionPoint[] distributionPoints = distPoint.getDistributionPoints(); for (final DistributionPoint distributionPoint : distributionPoints) { final DistributionPointName distributionPointName = distributionPoint.getDistributionPoint(); if (DistributionPointName.FULL_NAME != distributionPointName.getType()) { continue; } final GeneralNames generalNames = (GeneralNames) distributionPointName.getName(); final GeneralName[] names = generalNames.getNames(); for (final GeneralName name : names) { if (name.getTagNo() != GeneralName.uniformResourceIdentifier) { LOG.fine("Not a uniform resource identifier"); continue; } final String urlStr; if (name.getDERObject() instanceof DERTaggedObject) { final DERTaggedObject taggedObject = (DERTaggedObject) name.getDERObject(); final DERIA5String derStr = DERIA5String.getInstance(taggedObject.getObject()); urlStr = derStr.getString(); } else { final DERIA5String derStr = DERIA5String.getInstance(name.getDERObject()); urlStr = derStr.getString(); } urls.add(urlStr); } if (preferredProtocol != null) { for (final String url : urls) { if (url.startsWith(preferredProtocol)) { return url; } } } if (urls.size() > 0) { final String url = urls.get(0); return url; } } return null; } catch (IOException e) { throw new DSSException(e); } finally { DSSUtils.closeQuietly(ais1); DSSUtils.closeQuietly(ais2); } }
From source file:net.sf.jsignpdf.crl.CRLInfo.java
/** * Returns (initialized, but maybe empty) set of URLs of CRLs for given * certificate.//w w w.jav a 2 s . c o m * * @param aCert * X509 certificate. * @return */ private Set<String> getCrlUrls(final X509Certificate aCert) { final Set<String> tmpResult = new HashSet<String>(); LOGGER.info(RES.get("console.crlinfo.retrieveCrlUrl", aCert.getSubjectX500Principal().getName())); final byte[] crlDPExtension = aCert.getExtensionValue(X509Extension.cRLDistributionPoints.getId()); if (crlDPExtension != null) { CRLDistPoint crlDistPoints = null; try { crlDistPoints = CRLDistPoint.getInstance(X509ExtensionUtil.fromExtensionValue(crlDPExtension)); } catch (IOException e) { LOGGER.warn("", e); } if (crlDistPoints != null) { final DistributionPoint[] distPoints = crlDistPoints.getDistributionPoints(); distPoint: for (DistributionPoint dp : distPoints) { final DistributionPointName dpName = dp.getDistributionPoint(); final GeneralNames generalNames = (GeneralNames) dpName.getName(); if (generalNames != null) { final GeneralName[] generalNameArr = generalNames.getNames(); if (generalNameArr != null) { for (final GeneralName generalName : generalNameArr) { if (generalName.getTagNo() == GeneralName.uniformResourceIdentifier) { final DERString derString = (DERString) generalName.getName(); final String uri = derString.getString(); if (uri != null && uri.startsWith("http")) { // ||uri.startsWith("ftp") LOGGER.info(RES.get("console.crlinfo.foundCrlUri", uri)); tmpResult.add(uri); continue distPoint; } } } } LOGGER.info(RES.get("console.crlinfo.noUrlInDistPoint")); } } } } else { LOGGER.info(RES.get("console.crlinfo.distPointNotSupported")); } return tmpResult; }
From source file:be.fedict.trust.ocsp.OcspTrustLinker.java
private URI getAccessLocation(X509Certificate certificate, DERObjectIdentifier accessMethod) { byte[] authInfoAccessExtensionValue = certificate .getExtensionValue(X509Extensions.AuthorityInfoAccess.getId()); if (null == authInfoAccessExtensionValue) { return null; }//from w w w. jav a 2s .c om AuthorityInformationAccess authorityInformationAccess; try { DEROctetString oct = (DEROctetString) (new ASN1InputStream( new ByteArrayInputStream(authInfoAccessExtensionValue)).readObject()); authorityInformationAccess = AuthorityInformationAccess .getInstance((ASN1Sequence) new ASN1InputStream(oct.getOctets()).readObject()); } catch (IOException e) { throw new RuntimeException("IO error: " + e.getMessage(), e); } AccessDescription[] accessDescriptions = authorityInformationAccess.getAccessDescriptions(); for (AccessDescription accessDescription : accessDescriptions) { LOG.debug("access method: " + accessDescription.getAccessMethod()); boolean correctAccessMethod = accessDescription.getAccessMethod().equals(accessMethod); if (!correctAccessMethod) { continue; } GeneralName gn = accessDescription.getAccessLocation(); if (gn.getTagNo() != GeneralName.uniformResourceIdentifier) { LOG.debug("not a uniform resource identifier"); continue; } String accessLocation = ((DERIA5String) gn.getName()).getString(); LOG.debug("access location: " + accessLocation); URI uri = toURI(accessLocation); LOG.debug("access location URI: " + uri); return uri; } return null; }
From source file:org.apache.synapse.transport.certificatevalidation.ocsp.OCSPVerifier.java
/** * Authority Information Access (AIA) is a non-critical extension in an X509 Certificate. This contains the * URL of the OCSP endpoint if one is available. * TODO: This might contain non OCSP urls as well. Handle this. * * @param cert is the certificate//from w ww.j a va2 s . c o m * @return a lit of URLs in AIA extension of the certificate which will hopefully contain an OCSP endpoint. * @throws CertificateVerificationException * */ private List<String> getAIALocations(X509Certificate cert) throws CertificateVerificationException { //Gets the DER-encoded OCTET string for the extension value for Authority information access Points byte[] aiaExtensionValue = cert.getExtensionValue(Extension.authorityInfoAccess.getId()); if (aiaExtensionValue == null) throw new CertificateVerificationException( "Certificate Doesn't have Authority Information Access points"); AuthorityInformationAccess authorityInformationAccess; try { DEROctetString oct = (DEROctetString) (new ASN1InputStream(new ByteArrayInputStream(aiaExtensionValue)) .readObject()); authorityInformationAccess = AuthorityInformationAccess .getInstance(new ASN1InputStream(oct.getOctets()).readObject()); } catch (IOException e) { throw new CertificateVerificationException("Cannot read certificate to get OSCP urls", e); } List<String> ocspUrlList = new ArrayList<String>(); AccessDescription[] accessDescriptions = authorityInformationAccess.getAccessDescriptions(); for (AccessDescription accessDescription : accessDescriptions) { GeneralName gn = accessDescription.getAccessLocation(); if (gn.getTagNo() == GeneralName.uniformResourceIdentifier) { DERIA5String str = DERIA5String.getInstance(gn.getName()); String accessLocation = str.getString(); ocspUrlList.add(accessLocation); } } if (ocspUrlList.isEmpty()) throw new CertificateVerificationException("Cant get OCSP urls from certificate"); return ocspUrlList; }
From source file:org.apache.synapse.transport.utils.sslcert.ocsp.OCSPVerifier.java
/** * Authority Information Access (AIA) is a non-critical extension in an X509 Certificate. This contains the * URL of the OCSP endpoint if one is available. * TODO: This might contain non OCSP urls as well. Handle this. * * @param cert is the certificate/* w w w. j a va 2 s .c o m*/ * @return a lit of URLs in AIA extension of the certificate which will hopefully contain an OCSP endpoint. * @throws CertificateVerificationException * */ private List<String> getAIALocations(X509Certificate cert) throws CertificateVerificationException { //Gets the DER-encoded OCTET string for the extension value for Authority information access Points byte[] aiaExtensionValue = cert.getExtensionValue(X509Extensions.AuthorityInfoAccess.getId()); if (aiaExtensionValue == null) { throw new CertificateVerificationException( "Certificate doesn't have authority " + "information access points"); } //might have to pass an ByteArrayInputStream(aiaExtensionValue) ASN1InputStream asn1In = new ASN1InputStream(aiaExtensionValue); AuthorityInformationAccess authorityInformationAccess; try { DEROctetString aiaDEROctetString = (DEROctetString) (asn1In.readObject()); ASN1InputStream asn1InOctets = new ASN1InputStream(aiaDEROctetString.getOctets()); ASN1Sequence aiaASN1Sequence = (ASN1Sequence) asn1InOctets.readObject(); authorityInformationAccess = AuthorityInformationAccess.getInstance(aiaASN1Sequence); } catch (IOException e) { throw new CertificateVerificationException("Cannot read certificate to get OCSP URLs", e); } List<String> ocspUrlList = new ArrayList<String>(); AccessDescription[] accessDescriptions = authorityInformationAccess.getAccessDescriptions(); for (AccessDescription accessDescription : accessDescriptions) { GeneralName gn = accessDescription.getAccessLocation(); if (gn.getTagNo() == GeneralName.uniformResourceIdentifier) { DERIA5String str = DERIA5String.getInstance(gn.getName()); String accessLocation = str.getString(); ocspUrlList.add(accessLocation); } } if (ocspUrlList.isEmpty()) { throw new CertificateVerificationException("Cant get OCSP urls from certificate"); } return ocspUrlList; }
From source file:org.nuxeo.ecm.platform.signature.core.pki.CertServiceImpl.java
@Override public String getCertificateEmail(X509Certificate certificate) throws CertException { String emailOID = "2.5.29.17"; byte[] emailBytes = certificate.getExtensionValue(emailOID); String certificateEmail = null; try {/*from www .j av a2 s. c o m*/ byte[] octets = ((DEROctetString) org.bouncycastle.asn1.ASN1Object.fromByteArray(emailBytes)) .getOctets(); GeneralNames generalNameCont = GeneralNames .getInstance(org.bouncycastle.asn1.ASN1Object.fromByteArray(octets)); GeneralName[] generalNames = generalNameCont.getNames(); if (generalNames.length > 0) { GeneralName generalName = generalNames[0]; certificateEmail = generalName.getName().toString(); } } catch (IOException e) { throw new CertException("Email could not be extracted from certificate", e); } return certificateEmail; }
From source file:eu.europa.esig.dss.client.ocsp.OnlineOCSPSource.java
/** * Gives back the OCSP URI meta-data found within the given X509 cert. * * @param certificate the X509 cert./*from w w w . j a va 2 s .c om*/ * @return the OCSP URI, or <code>null</code> if the extension is not present. * @throws DSSException */ public String getAccessLocation(final X509Certificate certificate) throws DSSException { final ASN1ObjectIdentifier ocspAccessMethod = X509ObjectIdentifiers.ocspAccessMethod; final byte[] authInfoAccessExtensionValue = certificate .getExtensionValue(Extension.authorityInfoAccess.getId()); if (null == authInfoAccessExtensionValue) { return null; } ASN1InputStream ais1 = null; ASN1InputStream ais2 = null; try { final ByteArrayInputStream bais = new ByteArrayInputStream(authInfoAccessExtensionValue); ais1 = new ASN1InputStream(bais); final DEROctetString oct = (DEROctetString) (ais1.readObject()); ais2 = new ASN1InputStream(oct.getOctets()); final AuthorityInformationAccess authorityInformationAccess = AuthorityInformationAccess .getInstance(ais2.readObject()); final AccessDescription[] accessDescriptions = authorityInformationAccess.getAccessDescriptions(); for (AccessDescription accessDescription : accessDescriptions) { if (logger.isDebugEnabled()) { logger.debug("Access method: " + accessDescription.getAccessMethod()); } final boolean correctAccessMethod = accessDescription.getAccessMethod().equals(ocspAccessMethod); if (!correctAccessMethod) { continue; } final GeneralName gn = accessDescription.getAccessLocation(); if (gn.getTagNo() != GeneralName.uniformResourceIdentifier) { if (logger.isDebugEnabled()) { logger.debug("Not a uniform resource identifier"); } continue; } final DERIA5String str = (DERIA5String) ((DERTaggedObject) gn.toASN1Primitive()).getObject(); final String accessLocation = str.getString(); if (logger.isDebugEnabled()) { logger.debug("Access location: " + accessLocation); } return accessLocation; } return null; } catch (IOException e) { throw new DSSException(e); } finally { IOUtils.closeQuietly(ais1); IOUtils.closeQuietly(ais2); } }
From source file:org.wso2.carbon.identity.authenticator.pki.cert.validation.ocsp.OCSPVerifier.java
/** * Authority Information Access (AIA) is a non-critical extension in an X509 * Certificate. This contains the//from w w w.jav a 2 s .c o m * URL of the OCSP endpoint if one is available. * TODO: This might contain non OCSP urls as well. Handle this. * * @param cert * is the certificate * @return a lit of URLs in AIA extension of the certificate which will * hopefully contain an OCSP endpoint. * @throws CertificateVerificationException * */ private List<String> getAIALocations(X509Certificate cert) throws CertificateVerificationException { // Gets the DER-encoded OCTET string for the extension value for // Authority information access Points byte[] aiaExtensionValue = cert.getExtensionValue(X509Extensions.AuthorityInfoAccess.getId()); if (aiaExtensionValue == null) throw new CertificateVerificationException( "Certificate Doesnt have Authority Information Access points"); // might have to pass an ByteArrayInputStream(aiaExtensionValue) ASN1InputStream asn1In = new ASN1InputStream(aiaExtensionValue); AuthorityInformationAccess authorityInformationAccess; try { DEROctetString aiaDEROctetString = (DEROctetString) (asn1In.readObject()); ASN1InputStream asn1Inoctets = new ASN1InputStream(aiaDEROctetString.getOctets()); ASN1Sequence aiaASN1Sequence = (ASN1Sequence) asn1Inoctets.readObject(); authorityInformationAccess = new AuthorityInformationAccess(aiaASN1Sequence); } catch (IOException e) { throw new CertificateVerificationException("Cannot read certificate to get OSCP urls", e); } List<String> ocspUrlList = new ArrayList<String>(); AccessDescription[] accessDescriptions = authorityInformationAccess.getAccessDescriptions(); for (AccessDescription accessDescription : accessDescriptions) { GeneralName gn = accessDescription.getAccessLocation(); if (gn.getTagNo() == GeneralName.uniformResourceIdentifier) { DERIA5String str = DERIA5String.getInstance(gn.getName()); String accessLocation = str.getString(); ocspUrlList.add(accessLocation); } } if (ocspUrlList.isEmpty()) throw new CertificateVerificationException("Cant get OCSP urls from certificate"); return ocspUrlList; }
From source file:dk.itst.oiosaml.sp.metadata.CRLChecker.java
private String getCRLUrl(Configuration conf, String entityId, X509Certificate certificate) { String url = conf.getString(Constants.PROP_CRL + entityId); log.debug("Checking CRL for " + entityId + " at " + url); if (url == null) { log.debug("No CRL configured for " + entityId + ". Set " + Constants.PROP_CRL + entityId + " in configuration"); byte[] val = certificate.getExtensionValue("2.5.29.31"); if (val != null) { try { CRLDistPoint point = CRLDistPoint.getInstance(X509ExtensionUtil.fromExtensionValue(val)); for (DistributionPoint dp : point.getDistributionPoints()) { if (dp.getDistributionPoint() == null) continue; if (dp.getDistributionPoint().getName() instanceof GeneralNames) { GeneralNames gn = (GeneralNames) dp.getDistributionPoint().getName(); for (GeneralName g : gn.getNames()) { if (g.getName() instanceof DERIA5String) { url = ((DERIA5String) g.getName()).getString(); }/* w w w. jav a 2s.c om*/ } } } } catch (IOException e) { throw new RuntimeException(e); } } } return url; }
From source file:net.ripe.rpki.commons.provisioning.cms.ProvisioningCmsObjectParser.java
private boolean isEndEntityCertificate(X509Certificate certificate) { try {//from www . j av a2 s. com byte[] basicConstraintsExtension = certificate .getExtensionValue(X509Extension.basicConstraints.getId()); if (basicConstraintsExtension == null) { /** * If the basic constraints extension is not present [...] then the certified public key MUST NOT be used * to verify certificate signatures. * http://tools.ietf.org/html/rfc5280#section-4.2.1.9 */ return true; } BasicConstraints constraints = BasicConstraints .getInstance(X509ExtensionUtil.fromExtensionValue(basicConstraintsExtension)); return !constraints.isCA(); } catch (IOException e) { throw new ProvisioningCmsObjectParserException("error while reading cms object certificate", e); } }