List of usage examples for java.security.cert X509Certificate getKeyUsage
public abstract boolean[] getKeyUsage();
From source file:org.ejbca.core.protocol.cmp.CrmfRAPbeMultipleKeyIdRequestTest.java
@Test public void test02CrmfHttpOkUserKeyId1() throws Exception { byte[] nonce = CmpMessageHelper.createSenderNonce(); byte[] transid = CmpMessageHelper.createSenderNonce(); PKIMessage one = genCertReq(this.issuerDN1, userDN1, this.keys, this.cacert1, nonce, transid, true, null, null, null, null, null, null); PKIMessage req = protectPKIMessage(one, false, PBEPASSWORD, "KeyId1", 567); CertReqMessages ir = (CertReqMessages) req.getBody().getContent(); int reqId = ir.toCertReqMsgArray()[0].getCertReq().getCertReqId().getValue().intValue(); assertNotNull(req);// ww w . ja va 2 s . co m ByteArrayOutputStream bao = new ByteArrayOutputStream(); DEROutputStream out = new DEROutputStream(bao); out.writeObject(req); byte[] ba = bao.toByteArray(); // Send request and receive response byte[] resp = sendCmpHttp(ba, 200, configAlias); checkCmpResponseGeneral(resp, this.issuerDN1, userDN1, this.cacert1, nonce, transid, false, PBEPASSWORD, PKCSObjectIdentifiers.sha1WithRSAEncryption.getId()); X509Certificate cert = checkCmpCertRepMessage(userDN1, this.cacert1, resp, reqId); String altNames = CertTools.getSubjectAlternativeName(cert); assertTrue(altNames.indexOf("upn=fooupn@bar.com") != -1); assertTrue(altNames.indexOf("rfc822name=fooemail@bar.com") != -1); // Check key usage that it is digitalSignature for KeyId1 and // nonRepudiation for KeyId2 boolean[] ku = cert.getKeyUsage(); assertTrue(ku[0]); assertFalse(ku[1]); assertFalse(ku[2]); assertFalse(ku[3]); assertFalse(ku[4]); assertFalse(ku[5]); assertFalse(ku[6]); assertFalse(ku[7]); assertFalse(ku[8]); // Check DN that must be SE for KeyId1 assertEquals("SE", CertTools.getPartFromDN(cert.getSubjectDN().getName(), "C")); // Send a confirm message to the CA String hash = "foo123"; PKIMessage confirm = genCertConfirm(userDN1, this.cacert1, nonce, transid, hash, reqId); assertNotNull(confirm); PKIMessage req1 = protectPKIMessage(confirm, false, PBEPASSWORD, 567); bao = new ByteArrayOutputStream(); out = new DEROutputStream(bao); out.writeObject(req1); ba = bao.toByteArray(); // Send request and receive response resp = sendCmpHttp(ba, 200, configAlias); checkCmpResponseGeneral(resp, this.issuerDN1, userDN1, this.cacert1, nonce, transid, false, PBEPASSWORD, PKCSObjectIdentifiers.sha1WithRSAEncryption.getId()); checkCmpPKIConfirmMessage(userDN1, this.cacert1, resp); // Now revoke the bastard! PKIMessage rev = genRevReq(this.issuerDN1, userDN1, cert.getSerialNumber(), this.cacert1, nonce, transid, true, null, null); PKIMessage revReq = protectPKIMessage(rev, false, PBEPASSWORD, 567); assertNotNull(revReq); bao = new ByteArrayOutputStream(); out = new DEROutputStream(bao); out.writeObject(revReq); ba = bao.toByteArray(); // Send request and receive response resp = sendCmpHttp(ba, 200, configAlias); checkCmpResponseGeneral(resp, this.issuerDN1, userDN1, this.cacert1, nonce, transid, false, PBEPASSWORD, PKCSObjectIdentifiers.sha1WithRSAEncryption.getId()); checkCmpRevokeConfirmMessage(this.issuerDN1, userDN1, cert.getSerialNumber(), this.cacert1, resp, true); int reason = checkRevokeStatus(this.issuerDN1, cert.getSerialNumber()); assertEquals(reason, RevokedCertInfo.REVOCATION_REASON_CESSATIONOFOPERATION); // Create a revocation request for a non existing cert, chould fail! rev = genRevReq(this.issuerDN1, userDN1, new BigInteger("1"), this.cacert1, nonce, transid, true, null, null); revReq = protectPKIMessage(rev, false, PBEPASSWORD, 567); assertNotNull(revReq); bao = new ByteArrayOutputStream(); out = new DEROutputStream(bao); out.writeObject(revReq); ba = bao.toByteArray(); // Send request and receive response resp = sendCmpHttp(ba, 200, configAlias); checkCmpResponseGeneral(resp, this.issuerDN1, userDN1, this.cacert1, nonce, transid, false, PBEPASSWORD, PKCSObjectIdentifiers.sha1WithRSAEncryption.getId()); checkCmpRevokeConfirmMessage(this.issuerDN1, userDN1, cert.getSerialNumber(), this.cacert1, resp, false); }
From source file:org.ejbca.core.protocol.cmp.CrmfRAPbeMultipleKeyIdRequestTest.java
@Test public void test03CrmfTcpOkUserKeyId1() throws Exception { byte[] nonce = CmpMessageHelper.createSenderNonce(); byte[] transid = CmpMessageHelper.createSenderNonce(); PKIMessage one = genCertReq(this.issuerDN1, userDN1, this.keys, this.cacert1, nonce, transid, true, null, null, null, null, null, null); PKIMessage req = protectPKIMessage(one, false, PBEPASSWORD, "KeyId1", 567); CertReqMessages ir = (CertReqMessages) req.getBody().getContent(); int reqId = ir.toCertReqMsgArray()[0].getCertReq().getCertReqId().getValue().intValue(); assertNotNull(req);// w w w .j a v a2 s .co m ByteArrayOutputStream bao = new ByteArrayOutputStream(); DEROutputStream out = new DEROutputStream(bao); out.writeObject(req); byte[] ba = bao.toByteArray(); // Send request and receive response byte[] resp = sendCmpTcp(ba, 5); checkCmpResponseGeneral(resp, this.issuerDN1, userDN1, this.cacert1, nonce, transid, false, PBEPASSWORD, PKCSObjectIdentifiers.sha1WithRSAEncryption.getId()); X509Certificate cert = checkCmpCertRepMessage(userDN1, this.cacert1, resp, reqId); String altNames = CertTools.getSubjectAlternativeName(cert); assertTrue(altNames.indexOf("upn=fooupn@bar.com") != -1); assertTrue(altNames.indexOf("rfc822name=fooemail@bar.com") != -1); // Check key usage that it is digitalSignature for KeyId1 and // nonRepudiation for KeyId2 boolean[] ku = cert.getKeyUsage(); assertTrue(ku[0]); assertFalse(ku[1]); assertFalse(ku[2]); assertFalse(ku[3]); assertFalse(ku[4]); assertFalse(ku[5]); assertFalse(ku[6]); assertFalse(ku[7]); assertFalse(ku[8]); // Check DN that must be SE for KeyId1 assertEquals("SE", CertTools.getPartFromDN(cert.getSubjectDN().getName(), "C")); // Send a confirm message to the CA String hash = "foo123"; PKIMessage confirm = genCertConfirm(userDN1, this.cacert1, nonce, transid, hash, reqId); assertNotNull(confirm); PKIMessage req1 = protectPKIMessage(confirm, false, PBEPASSWORD, 567); bao = new ByteArrayOutputStream(); out = new DEROutputStream(bao); out.writeObject(req1); ba = bao.toByteArray(); // Send request and receive response resp = sendCmpTcp(ba, 5); checkCmpResponseGeneral(resp, this.issuerDN1, userDN1, this.cacert1, nonce, transid, false, PBEPASSWORD, PKCSObjectIdentifiers.sha1WithRSAEncryption.getId()); checkCmpPKIConfirmMessage(userDN1, this.cacert1, resp); }
From source file:org.ejbca.core.protocol.cmp.CrmfRAPbeMultipleKeyIdRequestTest.java
@Test public void test04CrmfTcpOkUserKeyId2() throws Exception { byte[] nonce = CmpMessageHelper.createSenderNonce(); byte[] transid = CmpMessageHelper.createSenderNonce(); PKIMessage one = genCertReq(this.issuerDN2, userDN2, this.keys, this.cacert2, nonce, transid, true, null, null, null, null, null, null); PKIMessage req = protectPKIMessage(one, false, PBEPASSWORD, "KeyId2", 567); CertReqMessages ir = (CertReqMessages) req.getBody().getContent(); int reqId = ir.toCertReqMsgArray()[0].getCertReq().getCertReqId().getValue().intValue(); assertNotNull(req);/*from www .j ava2 s. c o m*/ ByteArrayOutputStream bao = new ByteArrayOutputStream(); DEROutputStream out = new DEROutputStream(bao); out.writeObject(req); byte[] ba = bao.toByteArray(); // Send request and receive response byte[] resp = sendCmpTcp(ba, 5); checkCmpResponseGeneral(resp, this.issuerDN2, userDN2, this.cacert2, nonce, transid, false, PBEPASSWORD, PKCSObjectIdentifiers.sha1WithRSAEncryption.getId()); X509Certificate cert = checkCmpCertRepMessage(userDN2, this.cacert2, resp, reqId); String altNames = CertTools.getSubjectAlternativeName(cert); assertTrue(altNames.indexOf("upn=fooupn@bar.com") != -1); assertTrue(altNames.indexOf("rfc822name=fooemail@bar.com") != -1); // Check key usage that it is digitalSignature for KeyId1 and // nonRepudiation for KeyId2 boolean[] ku = cert.getKeyUsage(); assertFalse(ku[0]); assertTrue(ku[1]); assertFalse(ku[2]); assertFalse(ku[3]); assertFalse(ku[4]); assertFalse(ku[5]); assertFalse(ku[6]); assertFalse(ku[7]); assertFalse(ku[8]); // Check DN that must be SE for KeyId1 and NO for KeyId2 assertEquals("NO", CertTools.getPartFromDN(cert.getSubjectDN().getName(), "C")); // Send a confirm message to the CA String hash = "foo123"; PKIMessage confirm = genCertConfirm(userDN2, this.cacert2, nonce, transid, hash, reqId); assertNotNull(confirm); PKIMessage req1 = protectPKIMessage(confirm, false, PBEPASSWORD, 567); bao = new ByteArrayOutputStream(); out = new DEROutputStream(bao); out.writeObject(req1); ba = bao.toByteArray(); // Send request and receive response resp = sendCmpTcp(ba, 5); checkCmpResponseGeneral(resp, this.issuerDN2, userDN2, this.cacert2, nonce, transid, false, PBEPASSWORD, PKCSObjectIdentifiers.sha1WithRSAEncryption.getId()); checkCmpPKIConfirmMessage(userDN2, this.cacert2, resp); }
From source file:org.ejbca.core.protocol.cmp.CrmfRAPbeMultipleKeyIdRequestTest.java
@Test public void test05CrmfHttpOkUserKeyId2() throws Exception { byte[] nonce = CmpMessageHelper.createSenderNonce(); byte[] transid = CmpMessageHelper.createSenderNonce(); PKIMessage one = genCertReq(this.issuerDN2, userDN2, this.keys, this.cacert2, nonce, transid, true, null, null, null, null, null, null); PKIMessage req = protectPKIMessage(one, false, PBEPASSWORD, "KeyId2", 567); CertReqMessages ir = (CertReqMessages) req.getBody().getContent(); int reqId = ir.toCertReqMsgArray()[0].getCertReq().getCertReqId().getValue().intValue(); assertNotNull(req);//from w w w. ja v a2 s . c om ByteArrayOutputStream bao = new ByteArrayOutputStream(); DEROutputStream out = new DEROutputStream(bao); out.writeObject(req); byte[] ba = bao.toByteArray(); // Send request and receive response byte[] resp = sendCmpHttp(ba, 200, configAlias); checkCmpResponseGeneral(resp, this.issuerDN2, userDN2, this.cacert2, nonce, transid, false, PBEPASSWORD, PKCSObjectIdentifiers.sha1WithRSAEncryption.getId()); X509Certificate cert = checkCmpCertRepMessage(userDN2, this.cacert2, resp, reqId); String altNames = CertTools.getSubjectAlternativeName(cert); assertTrue(altNames.indexOf("upn=fooupn@bar.com") != -1); assertTrue(altNames.indexOf("rfc822name=fooemail@bar.com") != -1); // Check key usage that it is digitalSignature for KeyId1 and // nonRepudiation for KeyId2 boolean[] ku = cert.getKeyUsage(); assertFalse(ku[0]); assertTrue(ku[1]); assertFalse(ku[2]); assertFalse(ku[3]); assertFalse(ku[4]); assertFalse(ku[5]); assertFalse(ku[6]); assertFalse(ku[7]); assertFalse(ku[8]); // Check DN that must be SE for KeyId1 and NO for KeyId2 assertEquals("NO", CertTools.getPartFromDN(cert.getSubjectDN().getName(), "C")); // Send a confirm message to the CA String hash = "foo123"; PKIMessage confirm = genCertConfirm(userDN2, this.cacert2, nonce, transid, hash, reqId); assertNotNull(confirm); PKIMessage req1 = protectPKIMessage(confirm, false, PBEPASSWORD, 567); bao = new ByteArrayOutputStream(); out = new DEROutputStream(bao); out.writeObject(req1); ba = bao.toByteArray(); // Send request and receive response resp = sendCmpHttp(ba, 200, configAlias); checkCmpResponseGeneral(resp, this.issuerDN2, userDN2, this.cacert2, nonce, transid, false, PBEPASSWORD, PKCSObjectIdentifiers.sha1WithRSAEncryption.getId()); checkCmpPKIConfirmMessage(userDN2, this.cacert2, resp); // Now revoke the bastard! PKIMessage rev = genRevReq(this.issuerDN2, userDN2, cert.getSerialNumber(), this.cacert2, nonce, transid, true, null, null); PKIMessage revReq = protectPKIMessage(rev, false, PBEPASSWORD, 567); assertNotNull(revReq); bao = new ByteArrayOutputStream(); out = new DEROutputStream(bao); out.writeObject(revReq); ba = bao.toByteArray(); // Send request and receive response resp = sendCmpHttp(ba, 200, configAlias); checkCmpResponseGeneral(resp, this.issuerDN2, userDN2, this.cacert2, nonce, transid, false, PBEPASSWORD, PKCSObjectIdentifiers.sha1WithRSAEncryption.getId()); checkCmpRevokeConfirmMessage(this.issuerDN2, userDN2, cert.getSerialNumber(), this.cacert2, resp, true); int reason = checkRevokeStatus(this.issuerDN2, cert.getSerialNumber()); assertEquals(reason, RevokedCertInfo.REVOCATION_REASON_CESSATIONOFOPERATION); }
From source file:org.ejbca.core.protocol.cmp.CrmfRAPbeMultipleKeyIdRequestTest.java
@Test public void test06CrmfTcpOkUserKeyId3() throws Exception { byte[] nonce = CmpMessageHelper.createSenderNonce(); byte[] transid = CmpMessageHelper.createSenderNonce(); PKIMessage one = genCertReq(this.issuerDN2, userDN2, this.keys, this.cacert2, nonce, transid, true, null, null, null, null, null, null); PKIMessage req = protectPKIMessage(one, false, PBEPASSWORD, "KeyId3", 567); CertReqMessages ir = (CertReqMessages) req.getBody().getContent(); int reqId = ir.toCertReqMsgArray()[0].getCertReq().getCertReqId().getValue().intValue(); assertNotNull(req);// w w w . j a v a 2 s. co m ByteArrayOutputStream bao = new ByteArrayOutputStream(); DEROutputStream out = new DEROutputStream(bao); out.writeObject(req); byte[] ba = bao.toByteArray(); // Send request and receive response byte[] resp = sendCmpTcp(ba, 5); checkCmpResponseGeneral(resp, this.issuerDN2, userDN2, this.cacert2, nonce, transid, false, PBEPASSWORD, PKCSObjectIdentifiers.sha1WithRSAEncryption.getId()); X509Certificate cert = checkCmpCertRepMessage(userDN2, this.cacert2, resp, reqId); // FileOutputStream fos = new FileOutputStream("/home/tomas/foo.crt"); // fos.write(cert.getEncoded()); // fos.close(); String altNames = CertTools.getSubjectAlternativeName(cert); assertTrue(altNames.indexOf("upn=fooupn@bar.com") != -1); assertTrue(altNames.indexOf("rfc822name=fooemail@bar.com") != -1); // Check key usage that it is digitalSignature, keyEncipherment and // nonRepudiation for KeyId3 // Because keyUsage for keyId3 should be taken from the request (see // genCertReq) boolean[] ku = cert.getKeyUsage(); assertTrue(ku[0]); assertTrue(ku[1]); assertTrue(ku[2]); assertFalse(ku[3]); assertFalse(ku[4]); assertFalse(ku[5]); assertFalse(ku[6]); assertFalse(ku[7]); assertFalse(ku[8]); // Check DN that must be SE for KeyId1 and NO for KeyId2 assertEquals("NO", CertTools.getPartFromDN(cert.getSubjectDN().getName(), "C")); // Send a confirm message to the CA String hash = "foo123"; PKIMessage confirm = genCertConfirm(userDN2, this.cacert2, nonce, transid, hash, reqId); assertNotNull(confirm); PKIMessage req1 = protectPKIMessage(confirm, false, PBEPASSWORD, 567); bao = new ByteArrayOutputStream(); out = new DEROutputStream(bao); out.writeObject(req1); ba = bao.toByteArray(); // Send request and receive response resp = sendCmpTcp(ba, 5); checkCmpResponseGeneral(resp, this.issuerDN2, userDN2, this.cacert2, nonce, transid, false, PBEPASSWORD, PKCSObjectIdentifiers.sha1WithRSAEncryption.getId()); checkCmpPKIConfirmMessage(userDN2, this.cacert2, resp); }
From source file:org.ejbca.core.protocol.cmp.CrmfRAPbeMultipleKeyIdRequestTest.java
@Test public void test07ExtensionOverride() throws Exception { byte[] nonce = CmpMessageHelper.createSenderNonce(); byte[] transid = CmpMessageHelper.createSenderNonce(); // Create some crazy extensions to see that we get them when using // extension override. // We should not get our values when not using extension override ExtensionsGenerator extgen = new ExtensionsGenerator(); // SubjectAltName GeneralNames san = CertTools.getGeneralNamesFromAltName("dnsName=foo.bar.com"); extgen.addExtension(Extension.subjectAlternativeName, false, san); // KeyUsage/*from w w w .j a v a 2 s . com*/ int bcku = 0; bcku = X509KeyUsage.decipherOnly; X509KeyUsage ku = new X509KeyUsage(bcku); extgen.addExtension(Extension.keyUsage, false, ku); // Extended Key Usage List<KeyPurposeId> usage = new ArrayList<KeyPurposeId>(); usage.add(KeyPurposeId.id_kp_codeSigning); ExtendedKeyUsage eku = ExtendedKeyUsage.getInstance(usage); extgen.addExtension(Extension.extendedKeyUsage, false, eku); // OcspNoCheck extgen.addExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nocheck, false, DERNull.INSTANCE); // Netscape cert type extgen.addExtension(new ASN1ObjectIdentifier("2.16.840.1.113730.1.1"), false, new NetscapeCertType(NetscapeCertType.objectSigningCA)); // My completely own extgen.addExtension(new ASN1ObjectIdentifier("1.1.1.1.1"), false, new DERIA5String("PrimeKey")); // Make the complete extension package Extensions exts = extgen.generate(); // First test without extension override PKIMessage one = genCertReq(this.issuerDN2, userDN2, this.keys, this.cacert2, nonce, transid, true, exts, null, null, null, null, null); PKIMessage req = protectPKIMessage(one, false, PBEPASSWORD, "KeyId2", 567); CertReqMessages ir = (CertReqMessages) req.getBody().getContent(); int reqId = ir.toCertReqMsgArray()[0].getCertReq().getCertReqId().getValue().intValue(); assertNotNull(req); ByteArrayOutputStream bao = new ByteArrayOutputStream(); DEROutputStream out = new DEROutputStream(bao); out.writeObject(req); byte[] ba = bao.toByteArray(); // Send request and receive response byte[] resp = sendCmpTcp(ba, 5); checkCmpResponseGeneral(resp, this.issuerDN2, userDN2, this.cacert2, nonce, transid, false, PBEPASSWORD, PKCSObjectIdentifiers.sha1WithRSAEncryption.getId()); X509Certificate cert = checkCmpCertRepMessage(userDN2, this.cacert2, resp, reqId); String altNames = CertTools.getSubjectAlternativeName(cert); assertTrue(altNames.indexOf("dNSName=foo.bar.com") != -1); // Check key usage that it is nonRepudiation for KeyId2 boolean[] kubits = cert.getKeyUsage(); assertFalse(kubits[0]); assertTrue(kubits[1]); assertFalse(kubits[2]); assertFalse(kubits[3]); assertFalse(kubits[4]); assertFalse(kubits[5]); assertFalse(kubits[6]); assertFalse(kubits[7]); assertFalse(kubits[8]); // Our own ext should not be here assertNull(cert.getExtensionValue("1.1.1.1.1")); assertNull(cert.getExtensionValue("2.16.840.1.113730.1.1")); assertNull(cert.getExtensionValue(OCSPObjectIdentifiers.id_pkix_ocsp_nocheck.getId())); // Skip confirmation message, we have tested that several times already // // Do the same with keyId4, that has full extension override one = genCertReq(this.issuerDN2, userDN2, this.keys, this.cacert2, nonce, transid, true, exts, null, null, null, null, null); req = protectPKIMessage(one, false, PBEPASSWORD, "KeyId4", 567); ir = (CertReqMessages) req.getBody().getContent(); reqId = ir.toCertReqMsgArray()[0].getCertReq().getCertReqId().getValue().intValue(); assertNotNull(req); bao = new ByteArrayOutputStream(); out = new DEROutputStream(bao); out.writeObject(req); ba = bao.toByteArray(); // Send request and receive response resp = sendCmpTcp(ba, 5); checkCmpResponseGeneral(resp, this.issuerDN2, userDN2, this.cacert2, nonce, transid, false, PBEPASSWORD, PKCSObjectIdentifiers.sha1WithRSAEncryption.getId()); cert = checkCmpCertRepMessage(userDN2, this.cacert2, resp, reqId); altNames = CertTools.getSubjectAlternativeName(cert); assertTrue(altNames.indexOf("dNSName=foo.bar.com") != -1); // Check key usage that it is decipherOnly for KeyId4 kubits = cert.getKeyUsage(); assertFalse(kubits[0]); assertFalse(kubits[1]); assertFalse(kubits[2]); assertFalse(kubits[3]); assertFalse(kubits[4]); assertFalse(kubits[5]); assertFalse(kubits[6]); assertFalse(kubits[7]); assertTrue(kubits[8]); // Our own ext should not be here assertNotNull(cert.getExtensionValue("1.1.1.1.1")); assertNotNull(cert.getExtensionValue("2.16.840.1.113730.1.1")); assertNotNull(cert.getExtensionValue(OCSPObjectIdentifiers.id_pkix_ocsp_nocheck.getId())); List<String> l = cert.getExtendedKeyUsage(); assertEquals(1, l.size()); String s = l.get(0); assertEquals(KeyPurposeId.id_kp_codeSigning.getId(), s); // Skip confirmation message, we have tested that several times already }
From source file:org.ejbca.ui.web.CertificateView.java
/** Method that returns if key is allowed for given usage. Usage must be one of this class key usage constants. */ public boolean getKeyUsage(int usage) { boolean returnval = false; if (certificate instanceof X509Certificate) { X509Certificate x509cert = (X509Certificate) certificate; if (x509cert.getKeyUsage() != null) { returnval = x509cert.getKeyUsage()[usage]; }/* ww w. ja v a 2 s .c o m*/ } else { returnval = false; } return returnval; }
From source file:org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler.java
private boolean doesCertificateKeyUsageMatch(final X509Certificate certificate) { final String extensionOID = "2.5.29.15"; final boolean keyUsage[] = certificate.getKeyUsage(); /*// www .j ava2s .c o m * KeyUsage ::= BIT STRING { digitalSignature (0), nonRepudiation (1), * keyEncipherment (2), dataEncipherment (3), keyAgreement (4), * keyCertSign (5), cRLSign (6), encipherOnly (7), decipherOnly (8) } */ if (keyUsage == null) { log.warn("isKeyUsageRequired?: " + this.requireKeyUsage + "; keyUsage not found."); return !this.requireKeyUsage; } log.debug("keyUsage extension found: examing..."); if (!isExtensionMarkedCritical(certificate, extensionOID) && !this.requireKeyUsage) { log.debug("match ok; keyUsage extension not critical and not required so not checked"); return true; } if (log.isDebugEnabled()) { log.debug("extension is marked critical in cert OR required by config" + "[critical=" + isExtensionMarkedCritical(certificate, extensionOID) + ";required=" + this.requireKeyUsage + "]"); } // we need digitalSignature for SSL client auth if (keyUsage[0]) { log.debug("match ok; keyUsage extension OK"); return true; } if (log.isWarnEnabled() && this.requireKeyUsage) { log.warn("match error; required/critical keyUsage extension fails" + "[critical=" + isExtensionMarkedCritical(certificate, extensionOID) + ";required=" + this.requireKeyUsage + "]"); } return false; }
From source file:org.sinekartads.smartcard.SmartCardAccess.java
public String[] certificateList() throws SmartCardAccessException { // Parse the certificate aliases String alias;//from www .j a va 2 s . co m List<String> aliases = new ArrayList<String>(); X509Certificate cert; for (X509PublicKeyCertificate iaikCert : iaikCertificateList()) { cert = toX509Certificate(iaikCert); if (cert.getKeyUsage()[1]) { alias = DNParser.parse(cert.getSubjectX500Principal().getName(), "CN"); aliases.add(alias); } } // return the aliases as an array return aliases.toArray(new String[aliases.size()]); }
From source file:org.sinekartads.smartcard.SmartCardAccess.java
public X509Certificate selectCertificate(String alias) throws SmartCardAccessException { if (iaikSession == null) { tracer.error("Session not initialized, login before"); throw new IllegalStateException("Session not initialized, login before"); }/*from ww w. j av a 2 s .c om*/ iaikPrivateKey = null; // Look for the suitable signing certificate with the given alias X509Certificate cert = null; X509PublicKeyCertificate iaikCert; Iterator<X509PublicKeyCertificate> iaikCertificateIt = iaikCertificateList().iterator(); while (iaikCertificateIt.hasNext() && iaikPrivateKey == null) { // Transform the iaik certificate to a X509 instance iaikCert = iaikCertificateIt.next(); cert = toX509Certificate(iaikCert); String curAlias = DNParser.parse(cert.getSubjectX500Principal().getName(), "CN"); if (curAlias.equals(alias)) { if (cert.getKeyUsage()[1]) { // Accept the certificate only if has the digitalSignature usage // available try { cert.checkValidity(); } catch (CertificateExpiredException e) { tracer.error("Invalid certificate, expired!", e); throw new CertificateListException("Invalid certificate, expired!", e); } catch (CertificateNotYetValidException e) { tracer.error("Invalid certificate, not yet valid!", e); throw new CertificateListException("Invalid certificate, not yet valid!", e); } Object[] iaikCorrespondingKeys; try { // Init the privateKey seek RSAPrivateKey iaikPrivateSignatureKeyTemplate = new RSAPrivateKey(); iaikPrivateSignatureKeyTemplate.getId() .setByteArrayValue(iaikCert.getId().getByteArrayValue()); iaikSession.findObjectsInit(iaikPrivateSignatureKeyTemplate); // Look for the privateKey iaikCorrespondingKeys = iaikSession.findObjects(1); // Extract the private key result and store it into the // iaikPrivateKey property iaikPrivateKey = (RSAPrivateKey) iaikCorrespondingKeys[0]; // Look for the privateKey iaikCorrespondingKeys = iaikSession.findObjects(1); } catch (TokenException e) { tracer.error("Unable to read private key from smart card (findObjectsInit)", e); throw new CertificateListException( "Unable to read private key from smart card (findObjectsInit)", e); } finally { try { iaikSession.findObjectsFinal(); } catch (TokenException e) { tracer.error("Unable to read private key from smart card (findObjectsFinal)", e); throw new CertificateListException( "Unable to read private key from smart card (findObjectsFinal)", e); } } break; } else { tracer.error("Invalid certificate, Not for digital signature!"); throw new CertificateListException("Invalid certificate, Not for digital signature!"); } } } return cert; }