Example usage for java.security.cert X509Certificate getExtensionValue

List of usage examples for java.security.cert X509Certificate getExtensionValue

Introduction

In this page you can find the example usage for java.security.cert X509Certificate getExtensionValue.

Prototype

public byte[] getExtensionValue(String oid);

Source Link

Document

Gets the DER-encoded OCTET string for the extension value (extnValue) identified by the passed-in oid String.

Usage

From source file:eu.europa.ec.markt.dss.validation.crl.OnlineCRLSource.java

/**
 * Gives back the CRL URI meta-data found within the given X509 certificate.
 *
 * @param certificate the X509 certificate.
 * @return the CRL URI, or <code>null</code> if the extension is not present.
 * @throws MalformedURLException//from   w w w. j av  a 2s.  c o m
 */
public String getCrlUri(X509Certificate certificate) throws DSSException {

    final byte[] crlDistributionPointsValue = certificate
            .getExtensionValue(X509Extension.cRLDistributionPoints.getId());
    if (null == crlDistributionPointsValue) {

        return null;
    }
    ASN1InputStream ais1 = null;
    ASN1InputStream ais2 = null;
    try {

        List<String> urls = new ArrayList<String>();
        final ByteArrayInputStream bais = new ByteArrayInputStream(crlDistributionPointsValue);
        ais1 = new ASN1InputStream(bais);
        final DEROctetString oct = (DEROctetString) (ais1.readObject());
        ais2 = new ASN1InputStream(oct.getOctets());
        final ASN1Sequence seq = (ASN1Sequence) ais2.readObject();
        final CRLDistPoint distPoint = CRLDistPoint.getInstance(seq);
        final DistributionPoint[] distributionPoints = distPoint.getDistributionPoints();
        for (final DistributionPoint distributionPoint : distributionPoints) {

            final DistributionPointName distributionPointName = distributionPoint.getDistributionPoint();
            if (DistributionPointName.FULL_NAME != distributionPointName.getType()) {

                continue;
            }
            final GeneralNames generalNames = (GeneralNames) distributionPointName.getName();
            final GeneralName[] names = generalNames.getNames();
            for (final GeneralName name : names) {

                if (name.getTagNo() != GeneralName.uniformResourceIdentifier) {

                    LOG.fine("Not a uniform resource identifier");
                    continue;
                }
                final String urlStr;
                if (name.getDERObject() instanceof DERTaggedObject) {

                    final DERTaggedObject taggedObject = (DERTaggedObject) name.getDERObject();
                    final DERIA5String derStr = DERIA5String.getInstance(taggedObject.getObject());
                    urlStr = derStr.getString();
                } else {

                    final DERIA5String derStr = DERIA5String.getInstance(name.getDERObject());
                    urlStr = derStr.getString();
                }
                urls.add(urlStr);
            }
            if (preferredProtocol != null) {

                for (final String url : urls) {

                    if (url.startsWith(preferredProtocol)) {
                        return url;
                    }
                }
            }
            if (urls.size() > 0) {

                final String url = urls.get(0);
                return url;
            }
        }
        return null;
    } catch (IOException e) {

        throw new DSSException(e);
    } finally {

        DSSUtils.closeQuietly(ais1);
        DSSUtils.closeQuietly(ais2);
    }
}

From source file:net.sf.jsignpdf.crl.CRLInfo.java

/**
 * Returns (initialized, but maybe empty) set of URLs of CRLs for given
 * certificate.//w w  w.jav a  2 s . c  o m
 * 
 * @param aCert
 *          X509 certificate.
 * @return
 */
private Set<String> getCrlUrls(final X509Certificate aCert) {
    final Set<String> tmpResult = new HashSet<String>();
    LOGGER.info(RES.get("console.crlinfo.retrieveCrlUrl", aCert.getSubjectX500Principal().getName()));
    final byte[] crlDPExtension = aCert.getExtensionValue(X509Extension.cRLDistributionPoints.getId());
    if (crlDPExtension != null) {
        CRLDistPoint crlDistPoints = null;
        try {
            crlDistPoints = CRLDistPoint.getInstance(X509ExtensionUtil.fromExtensionValue(crlDPExtension));
        } catch (IOException e) {
            LOGGER.warn("", e);
        }
        if (crlDistPoints != null) {
            final DistributionPoint[] distPoints = crlDistPoints.getDistributionPoints();
            distPoint: for (DistributionPoint dp : distPoints) {
                final DistributionPointName dpName = dp.getDistributionPoint();
                final GeneralNames generalNames = (GeneralNames) dpName.getName();
                if (generalNames != null) {
                    final GeneralName[] generalNameArr = generalNames.getNames();
                    if (generalNameArr != null) {
                        for (final GeneralName generalName : generalNameArr) {
                            if (generalName.getTagNo() == GeneralName.uniformResourceIdentifier) {
                                final DERString derString = (DERString) generalName.getName();
                                final String uri = derString.getString();
                                if (uri != null && uri.startsWith("http")) {
                                    // ||uri.startsWith("ftp")
                                    LOGGER.info(RES.get("console.crlinfo.foundCrlUri", uri));
                                    tmpResult.add(uri);
                                    continue distPoint;
                                }
                            }
                        }
                    }
                    LOGGER.info(RES.get("console.crlinfo.noUrlInDistPoint"));
                }
            }
        }
    } else {
        LOGGER.info(RES.get("console.crlinfo.distPointNotSupported"));
    }
    return tmpResult;
}

From source file:be.fedict.trust.ocsp.OcspTrustLinker.java

private URI getAccessLocation(X509Certificate certificate, DERObjectIdentifier accessMethod) {
    byte[] authInfoAccessExtensionValue = certificate
            .getExtensionValue(X509Extensions.AuthorityInfoAccess.getId());
    if (null == authInfoAccessExtensionValue) {
        return null;
    }//from   w w w. jav  a  2s  .c om
    AuthorityInformationAccess authorityInformationAccess;
    try {
        DEROctetString oct = (DEROctetString) (new ASN1InputStream(
                new ByteArrayInputStream(authInfoAccessExtensionValue)).readObject());
        authorityInformationAccess = AuthorityInformationAccess
                .getInstance((ASN1Sequence) new ASN1InputStream(oct.getOctets()).readObject());
    } catch (IOException e) {
        throw new RuntimeException("IO error: " + e.getMessage(), e);
    }
    AccessDescription[] accessDescriptions = authorityInformationAccess.getAccessDescriptions();
    for (AccessDescription accessDescription : accessDescriptions) {
        LOG.debug("access method: " + accessDescription.getAccessMethod());
        boolean correctAccessMethod = accessDescription.getAccessMethod().equals(accessMethod);
        if (!correctAccessMethod) {
            continue;
        }
        GeneralName gn = accessDescription.getAccessLocation();
        if (gn.getTagNo() != GeneralName.uniformResourceIdentifier) {
            LOG.debug("not a uniform resource identifier");
            continue;
        }
        String accessLocation = ((DERIA5String) gn.getName()).getString();
        LOG.debug("access location: " + accessLocation);
        URI uri = toURI(accessLocation);
        LOG.debug("access location URI: " + uri);
        return uri;
    }
    return null;
}

From source file:org.apache.synapse.transport.certificatevalidation.ocsp.OCSPVerifier.java

/**
 * Authority Information Access (AIA) is a non-critical extension in an X509 Certificate. This contains the
 * URL of the OCSP endpoint if one is available.
 * TODO: This might contain non OCSP urls as well. Handle this.
 *
 * @param cert is the certificate//from   w  ww.j a  va2 s  . c  o m
 * @return a lit of URLs in AIA extension of the certificate which will hopefully contain an OCSP endpoint.
 * @throws CertificateVerificationException
 *
 */
private List<String> getAIALocations(X509Certificate cert) throws CertificateVerificationException {

    //Gets the DER-encoded OCTET string for the extension value for Authority information access Points
    byte[] aiaExtensionValue = cert.getExtensionValue(Extension.authorityInfoAccess.getId());
    if (aiaExtensionValue == null)
        throw new CertificateVerificationException(
                "Certificate Doesn't have Authority Information Access points");

    AuthorityInformationAccess authorityInformationAccess;

    try {
        DEROctetString oct = (DEROctetString) (new ASN1InputStream(new ByteArrayInputStream(aiaExtensionValue))
                .readObject());
        authorityInformationAccess = AuthorityInformationAccess
                .getInstance(new ASN1InputStream(oct.getOctets()).readObject());
    } catch (IOException e) {
        throw new CertificateVerificationException("Cannot read certificate to get OSCP urls", e);
    }

    List<String> ocspUrlList = new ArrayList<String>();
    AccessDescription[] accessDescriptions = authorityInformationAccess.getAccessDescriptions();
    for (AccessDescription accessDescription : accessDescriptions) {

        GeneralName gn = accessDescription.getAccessLocation();
        if (gn.getTagNo() == GeneralName.uniformResourceIdentifier) {
            DERIA5String str = DERIA5String.getInstance(gn.getName());
            String accessLocation = str.getString();
            ocspUrlList.add(accessLocation);
        }
    }
    if (ocspUrlList.isEmpty())
        throw new CertificateVerificationException("Cant get OCSP urls from certificate");

    return ocspUrlList;
}

From source file:org.apache.synapse.transport.utils.sslcert.ocsp.OCSPVerifier.java

/**
 * Authority Information Access (AIA) is a non-critical extension in an X509 Certificate. This contains the
 * URL of the OCSP endpoint if one is available.
 * TODO: This might contain non OCSP urls as well. Handle this.
 *
 * @param cert is the certificate/*  w w  w. j  a va  2 s  .c  o  m*/
 * @return a lit of URLs in AIA extension of the certificate which will hopefully contain an OCSP endpoint.
 * @throws CertificateVerificationException
 *
 */
private List<String> getAIALocations(X509Certificate cert) throws CertificateVerificationException {

    //Gets the DER-encoded OCTET string for the extension value for Authority information access Points
    byte[] aiaExtensionValue = cert.getExtensionValue(X509Extensions.AuthorityInfoAccess.getId());
    if (aiaExtensionValue == null) {
        throw new CertificateVerificationException(
                "Certificate doesn't have authority " + "information access points");
    }
    //might have to pass an ByteArrayInputStream(aiaExtensionValue)
    ASN1InputStream asn1In = new ASN1InputStream(aiaExtensionValue);
    AuthorityInformationAccess authorityInformationAccess;

    try {
        DEROctetString aiaDEROctetString = (DEROctetString) (asn1In.readObject());
        ASN1InputStream asn1InOctets = new ASN1InputStream(aiaDEROctetString.getOctets());
        ASN1Sequence aiaASN1Sequence = (ASN1Sequence) asn1InOctets.readObject();
        authorityInformationAccess = AuthorityInformationAccess.getInstance(aiaASN1Sequence);
    } catch (IOException e) {
        throw new CertificateVerificationException("Cannot read certificate to get OCSP URLs", e);
    }

    List<String> ocspUrlList = new ArrayList<String>();
    AccessDescription[] accessDescriptions = authorityInformationAccess.getAccessDescriptions();
    for (AccessDescription accessDescription : accessDescriptions) {

        GeneralName gn = accessDescription.getAccessLocation();
        if (gn.getTagNo() == GeneralName.uniformResourceIdentifier) {
            DERIA5String str = DERIA5String.getInstance(gn.getName());
            String accessLocation = str.getString();
            ocspUrlList.add(accessLocation);
        }
    }
    if (ocspUrlList.isEmpty()) {
        throw new CertificateVerificationException("Cant get OCSP urls from certificate");
    }

    return ocspUrlList;
}

From source file:org.nuxeo.ecm.platform.signature.core.pki.CertServiceImpl.java

@Override
public String getCertificateEmail(X509Certificate certificate) throws CertException {
    String emailOID = "2.5.29.17";
    byte[] emailBytes = certificate.getExtensionValue(emailOID);
    String certificateEmail = null;
    try {/*from   www .j av  a2  s.  c  o  m*/
        byte[] octets = ((DEROctetString) org.bouncycastle.asn1.ASN1Object.fromByteArray(emailBytes))
                .getOctets();
        GeneralNames generalNameCont = GeneralNames
                .getInstance(org.bouncycastle.asn1.ASN1Object.fromByteArray(octets));
        GeneralName[] generalNames = generalNameCont.getNames();
        if (generalNames.length > 0) {
            GeneralName generalName = generalNames[0];
            certificateEmail = generalName.getName().toString();
        }
    } catch (IOException e) {
        throw new CertException("Email could not be extracted from certificate", e);
    }
    return certificateEmail;
}

From source file:eu.europa.esig.dss.client.ocsp.OnlineOCSPSource.java

/**
 * Gives back the OCSP URI meta-data found within the given X509 cert.
 *
 * @param certificate the X509 cert./*from w w  w . j  a va 2 s .c om*/
 * @return the OCSP URI, or <code>null</code> if the extension is not present.
 * @throws DSSException
 */
public String getAccessLocation(final X509Certificate certificate) throws DSSException {

    final ASN1ObjectIdentifier ocspAccessMethod = X509ObjectIdentifiers.ocspAccessMethod;
    final byte[] authInfoAccessExtensionValue = certificate
            .getExtensionValue(Extension.authorityInfoAccess.getId());
    if (null == authInfoAccessExtensionValue) {
        return null;
    }

    ASN1InputStream ais1 = null;
    ASN1InputStream ais2 = null;
    try {

        final ByteArrayInputStream bais = new ByteArrayInputStream(authInfoAccessExtensionValue);
        ais1 = new ASN1InputStream(bais);
        final DEROctetString oct = (DEROctetString) (ais1.readObject());
        ais2 = new ASN1InputStream(oct.getOctets());
        final AuthorityInformationAccess authorityInformationAccess = AuthorityInformationAccess
                .getInstance(ais2.readObject());

        final AccessDescription[] accessDescriptions = authorityInformationAccess.getAccessDescriptions();
        for (AccessDescription accessDescription : accessDescriptions) {

            if (logger.isDebugEnabled()) {
                logger.debug("Access method: " + accessDescription.getAccessMethod());
            }
            final boolean correctAccessMethod = accessDescription.getAccessMethod().equals(ocspAccessMethod);
            if (!correctAccessMethod) {

                continue;
            }
            final GeneralName gn = accessDescription.getAccessLocation();
            if (gn.getTagNo() != GeneralName.uniformResourceIdentifier) {

                if (logger.isDebugEnabled()) {
                    logger.debug("Not a uniform resource identifier");
                }
                continue;
            }
            final DERIA5String str = (DERIA5String) ((DERTaggedObject) gn.toASN1Primitive()).getObject();
            final String accessLocation = str.getString();
            if (logger.isDebugEnabled()) {
                logger.debug("Access location: " + accessLocation);
            }
            return accessLocation;
        }
        return null;
    } catch (IOException e) {
        throw new DSSException(e);
    } finally {
        IOUtils.closeQuietly(ais1);
        IOUtils.closeQuietly(ais2);
    }
}

From source file:org.wso2.carbon.identity.authenticator.pki.cert.validation.ocsp.OCSPVerifier.java

/**
 * Authority Information Access (AIA) is a non-critical extension in an X509
 * Certificate. This contains the//from w w  w.jav a 2 s  .c o  m
 * URL of the OCSP endpoint if one is available.
 * TODO: This might contain non OCSP urls as well. Handle this.
 * 
 * @param cert
 *            is the certificate
 * @return a lit of URLs in AIA extension of the certificate which will
 *         hopefully contain an OCSP endpoint.
 * @throws CertificateVerificationException
 * 
 */
private List<String> getAIALocations(X509Certificate cert) throws CertificateVerificationException {

    // Gets the DER-encoded OCTET string for the extension value for
    // Authority information access Points
    byte[] aiaExtensionValue = cert.getExtensionValue(X509Extensions.AuthorityInfoAccess.getId());
    if (aiaExtensionValue == null)
        throw new CertificateVerificationException(
                "Certificate Doesnt have Authority Information Access points");
    // might have to pass an ByteArrayInputStream(aiaExtensionValue)
    ASN1InputStream asn1In = new ASN1InputStream(aiaExtensionValue);
    AuthorityInformationAccess authorityInformationAccess;

    try {
        DEROctetString aiaDEROctetString = (DEROctetString) (asn1In.readObject());
        ASN1InputStream asn1Inoctets = new ASN1InputStream(aiaDEROctetString.getOctets());
        ASN1Sequence aiaASN1Sequence = (ASN1Sequence) asn1Inoctets.readObject();
        authorityInformationAccess = new AuthorityInformationAccess(aiaASN1Sequence);
    } catch (IOException e) {
        throw new CertificateVerificationException("Cannot read certificate to get OSCP urls", e);
    }

    List<String> ocspUrlList = new ArrayList<String>();
    AccessDescription[] accessDescriptions = authorityInformationAccess.getAccessDescriptions();
    for (AccessDescription accessDescription : accessDescriptions) {

        GeneralName gn = accessDescription.getAccessLocation();
        if (gn.getTagNo() == GeneralName.uniformResourceIdentifier) {
            DERIA5String str = DERIA5String.getInstance(gn.getName());
            String accessLocation = str.getString();
            ocspUrlList.add(accessLocation);
        }
    }
    if (ocspUrlList.isEmpty())
        throw new CertificateVerificationException("Cant get OCSP urls from certificate");

    return ocspUrlList;
}

From source file:dk.itst.oiosaml.sp.metadata.CRLChecker.java

private String getCRLUrl(Configuration conf, String entityId, X509Certificate certificate) {
    String url = conf.getString(Constants.PROP_CRL + entityId);
    log.debug("Checking CRL for " + entityId + " at " + url);
    if (url == null) {
        log.debug("No CRL configured for " + entityId + ". Set " + Constants.PROP_CRL + entityId
                + " in configuration");
        byte[] val = certificate.getExtensionValue("2.5.29.31");
        if (val != null) {
            try {
                CRLDistPoint point = CRLDistPoint.getInstance(X509ExtensionUtil.fromExtensionValue(val));
                for (DistributionPoint dp : point.getDistributionPoints()) {
                    if (dp.getDistributionPoint() == null)
                        continue;

                    if (dp.getDistributionPoint().getName() instanceof GeneralNames) {
                        GeneralNames gn = (GeneralNames) dp.getDistributionPoint().getName();
                        for (GeneralName g : gn.getNames()) {
                            if (g.getName() instanceof DERIA5String) {
                                url = ((DERIA5String) g.getName()).getString();
                            }/*  w  w w. jav a 2s.c  om*/
                        }
                    }
                }
            } catch (IOException e) {
                throw new RuntimeException(e);
            }
        }
    }
    return url;
}

From source file:net.ripe.rpki.commons.provisioning.cms.ProvisioningCmsObjectParser.java

private boolean isEndEntityCertificate(X509Certificate certificate) {
    try {//from   www . j  av  a2 s.  com
        byte[] basicConstraintsExtension = certificate
                .getExtensionValue(X509Extension.basicConstraints.getId());
        if (basicConstraintsExtension == null) {
            /**
             * If the basic constraints extension is not present [...] then the certified public key MUST NOT be used
             * to verify certificate signatures.
             *  http://tools.ietf.org/html/rfc5280#section-4.2.1.9
             */
            return true;
        }
        BasicConstraints constraints = BasicConstraints
                .getInstance(X509ExtensionUtil.fromExtensionValue(basicConstraintsExtension));
        return !constraints.isCA();
    } catch (IOException e) {
        throw new ProvisioningCmsObjectParserException("error while reading cms object certificate", e);
    }
}