List of usage examples for org.bouncycastle.asn1 ASN1EncodableVector ASN1EncodableVector
public ASN1EncodableVector()
From source file:org.cesecore.certificates.certificate.certextensions.BasicCertificateExtension.java
License:Open Source License
/** * Tries to read the hex-string as an DERObject. If it contains more than one ASN1Encodable object, return a DERSequence of the objects. *///from w w w . j a v a2 s . co m private ASN1Encodable parseHexEncodedDERObject(String value) throws CertificateExtensionException { ASN1Encodable retval = null; if (value.matches("^\\p{XDigit}*")) { byte[] bytes = Hex.decode(value); try { ASN1InputStream ais = new ASN1InputStream(bytes); ASN1Encodable firstObject = ais.readObject(); if (ais.available() > 0) { ASN1EncodableVector ev = new ASN1EncodableVector(); ev.add(firstObject); while (ais.available() > 0) { ev.add(ais.readObject()); } retval = new DERSequence(ev); } else { retval = firstObject; } ais.close(); } catch (Exception e) { throw new CertificateExtensionException(intres.getLocalizedMessage("certext.basic.illegalvalue", value, Integer.valueOf(getId()), getOID())); } } else { throw new CertificateExtensionException(intres.getLocalizedMessage("certext.basic.illegalvalue", value, Integer.valueOf(getId()), getOID())); } return retval; }
From source file:org.cesecore.certificates.certificate.certextensions.BasicCertificateExtensionTest.java
License:Open Source License
@Test public void test12DERObjectExtension() throws Exception { Properties props = new Properties(); props.put("id1.property.encoding", "DEROBJECT"); ASN1EncodableVector vec = new ASN1EncodableVector(); vec.add(new DERPrintableString("foo1")); vec.add(new DERPrintableString("foo2")); vec.add(new DERPrintableString("foo3")); DERSet set = new DERSet(vec); String str = new String(Hex.encode(set.getEncoded())); props.put("id1.property.value", str); BasicCertificateExtension baseExt = new BasicCertificateExtension(); baseExt.init(1, "1.2.3", false, props); ASN1Encodable value = getObject(baseExt.getValueEncoded(null, null, null, null, null, null)); assertTrue(value.getClass().toString(), value instanceof DLSet); DLSet set1 = (DLSet) value;// w ww.ja v a2 s. c om assertEquals(3, set1.size()); props = new Properties(); props.put("id1.property.encoding", "DEROBJECT"); props.put("id1.property.value", "This is not an asn1 hex encoded object"); baseExt = new BasicCertificateExtension(); baseExt.init(1, "1.2.3", false, props); try { value = getObject(baseExt.getValueEncoded(null, null, null, null, null, null)); assertTrue("Should throw", false); } catch (CertificateExtensionException e) { // NOPMD } }
From source file:org.cesecore.certificates.certificate.certextensions.standard.AuthorityInformationAccess.java
License:Open Source License
@Override public ASN1Encodable getValue(final EndEntityInformation subject, final CA ca, final CertificateProfile certProfile, final PublicKey userPublicKey, final PublicKey caPublicKey, CertificateValidity val) throws CertificateExtensionException { final ASN1EncodableVector accessList = new ASN1EncodableVector(); GeneralName accessLocation;//from w ww. ja v a2s . c o m String url; // caIssuers final List<String> caIssuers = certProfile.getCaIssuers(); if (caIssuers != null) { for (final Iterator<String> it = caIssuers.iterator(); it.hasNext();) { url = it.next(); if (StringUtils.isNotEmpty(url)) { accessLocation = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(url)); accessList.add(new AccessDescription(AccessDescription.id_ad_caIssuers, accessLocation)); } } } // ocsp url final X509CA x509ca = (X509CA) ca; url = certProfile.getOCSPServiceLocatorURI(); if (certProfile.getUseDefaultOCSPServiceLocator()) { url = x509ca.getDefaultOCSPServiceLocator(); } if (StringUtils.isNotEmpty(url)) { accessLocation = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(url)); accessList.add(new AccessDescription(AccessDescription.id_ad_ocsp, accessLocation)); } org.bouncycastle.asn1.x509.AuthorityInformationAccess ret = null; if (accessList.size() > 0) { ret = org.bouncycastle.asn1.x509.AuthorityInformationAccess.getInstance(new DERSequence(accessList)); } if (ret == null) { log.error("AuthorityInformationAccess is used, but nor caIssuers not Ocsp url are defined!"); } return ret; }
From source file:org.cesecore.certificates.certificate.certextensions.standard.AuthorityKeyIdentifier.java
License:Open Source License
@Override public ASN1Encodable getValue(final EndEntityInformation subject, final CA ca, final CertificateProfile certProfile, final PublicKey userPublicKey, final PublicKey caPublicKey, CertificateValidity val) throws CertificateExtensionException { org.bouncycastle.asn1.x509.AuthorityKeyIdentifier ret = null; // Default value is that we calculate it from scratch! // (If this is a root CA we must calculate the AuthorityKeyIdentifier from scratch) // (If the CA signing this cert does not have a SubjectKeyIdentifier we must calculate the AuthorityKeyIdentifier from scratch) final byte[] keybytes = caPublicKey.getEncoded(); ASN1InputStream inputStream = new ASN1InputStream(new ByteArrayInputStream(keybytes)); try {/* www.j a v a2 s.c o m*/ try { final SubjectPublicKeyInfo apki = new SubjectPublicKeyInfo((ASN1Sequence) inputStream.readObject()); ret = new org.bouncycastle.asn1.x509.AuthorityKeyIdentifier(apki); // If we have a CA-certificate (i.e. this is not a Root CA), we must take the authority key identifier from // the CA-certificates SubjectKeyIdentifier if it exists. If we don't do that we will get the wrong identifier if the // CA does not follow RFC3280 (guess if MS-CA follows RFC3280?) final X509Certificate cacert = (X509Certificate) ca.getCACertificate(); final boolean isRootCA = (certProfile.getType() == CertificateConstants.CERTTYPE_ROOTCA); if ((cacert != null) && (!isRootCA)) { byte[] akibytes; akibytes = CertTools.getSubjectKeyId(cacert); if (akibytes != null) { // TODO: The code below is snipped from AuthorityKeyIdentifier.java in BC 1.36, because there is no method there // to set only a pre-computed key identifier // This should be replaced when such a method is added to BC final ASN1OctetString keyidentifier = new DEROctetString(akibytes); final ASN1EncodableVector v = new ASN1EncodableVector(); v.add(new DERTaggedObject(false, 0, keyidentifier)); final ASN1Sequence seq = new DERSequence(v); ret = org.bouncycastle.asn1.x509.AuthorityKeyIdentifier.getInstance(seq); if (log.isDebugEnabled()) { log.debug("Using AuthorityKeyIdentifier from CA-certificates SubjectKeyIdentifier."); } } } } finally { inputStream.close(); } } catch (IOException e) { throw new CertificateExtensionException("IOException parsing CA public key: " + e.getMessage(), e); } return ret; }
From source file:org.cesecore.certificates.certificate.certextensions.standard.CertificatePolicies.java
License:Open Source License
@Override public ASN1Encodable getValue(final EndEntityInformation subject, final CA ca, final CertificateProfile certProfile, final PublicKey userPublicKey, final PublicKey caPublicKey, CertificateValidity val) throws CertificateExtensionException { DERSequence ret = null;/*from w ww .j a v a 2 s . com*/ // The UserNotice policy qualifier can have two different character encodings, // the correct one (UTF8) or the wrong one (BMP) used by IE < 7. final X509CA x509ca = (X509CA) ca; int displayencoding = DisplayText.CONTENT_TYPE_BMPSTRING; if (x509ca.getUseUTF8PolicyText()) { displayencoding = DisplayText.CONTENT_TYPE_UTF8STRING; } // Iterate through policies and add oids and policy qualifiers if they exist final List<CertificatePolicy> policies = certProfile.getCertificatePolicies(); final Map<ASN1ObjectIdentifier, ASN1EncodableVector> policiesMap = new HashMap<ASN1ObjectIdentifier, ASN1EncodableVector>(); // Each Policy OID can be entered several times, with different qualifiers, // because of this we make a map of oid and qualifiers, and we can add a new qualifier // in each round of this for loop for (final Iterator<CertificatePolicy> it = policies.iterator(); it.hasNext();) { final CertificatePolicy policy = it.next(); final ASN1ObjectIdentifier oid = new ASN1ObjectIdentifier(policy.getPolicyID()); final ASN1EncodableVector qualifiers; if (policiesMap.containsKey(oid)) { qualifiers = policiesMap.get(oid); } else { qualifiers = new ASN1EncodableVector(); } final PolicyQualifierInfo pqi = getPolicyQualifierInformation(policy, displayencoding); if (pqi != null) { qualifiers.add(pqi); } policiesMap.put(oid, qualifiers); } final ASN1EncodableVector seq = new ASN1EncodableVector(); for (final Iterator<ASN1ObjectIdentifier> it = policiesMap.keySet().iterator(); it.hasNext();) { final ASN1ObjectIdentifier oid = it.next(); final ASN1EncodableVector qualifiers = policiesMap.get(oid); if (qualifiers.size() == 0) { seq.add(new PolicyInformation(oid, null)); } else { seq.add(new PolicyInformation(oid, new DERSequence(qualifiers))); } } if (seq.size() > 0) { ret = new DERSequence(seq); } if (ret == null) { log.error("Certificate policies missconfigured, no policies present!"); } return ret; }
From source file:org.cesecore.certificates.certificate.certextensions.standard.CrlDistributionPoints.java
License:Open Source License
@Override public ASN1Encodable getValue(final EndEntityInformation subject, final CA ca, final CertificateProfile certProfile, final PublicKey userPublicKey, final PublicKey caPublicKey, CertificateValidity val) throws CertificateExtensionException { String crldistpoint = certProfile.getCRLDistributionPointURI(); String crlissuer = certProfile.getCRLIssuer(); final X509CA x509ca = (X509CA) ca; if (certProfile.getUseDefaultCRLDistributionPoint()) { crldistpoint = x509ca.getDefaultCRLDistPoint(); crlissuer = x509ca.getDefaultCRLIssuer(); }/* w w w .java2s . co m*/ // Multiple CDPs are separated with the ';' sign final ArrayList<DistributionPointName> dpns = new ArrayList<DistributionPointName>(); if (StringUtils.isNotEmpty(crldistpoint)) { final Iterator<String> it = StringTools.splitURIs(crldistpoint).iterator(); while (it.hasNext()) { // 6 is URI final String uri = (String) it.next(); final GeneralName gn = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(uri)); if (log.isDebugEnabled()) { log.debug("Added CRL distpoint: " + uri); } final ASN1EncodableVector vec = new ASN1EncodableVector(); vec.add(gn); final GeneralNames gns = GeneralNames.getInstance(new DERSequence(vec)); final DistributionPointName dpn = new DistributionPointName(0, gns); dpns.add(dpn); } } // CRL issuer works much like Dist point URI. If separated by ; it is put in the same global distPoint as the URI, // if there is more of one of them, the one with more is put in an own global distPoint. final ArrayList<GeneralNames> issuers = new ArrayList<GeneralNames>(); if (StringUtils.isNotEmpty(crlissuer)) { final StringTokenizer tokenizer = new StringTokenizer(crlissuer, ";", false); while (tokenizer.hasMoreTokens()) { final String issuer = tokenizer.nextToken(); final GeneralName gn = new GeneralName(new X500Name(issuer)); if (log.isDebugEnabled()) { log.debug("Added CRL issuer: " + issuer); } final ASN1EncodableVector vec = new ASN1EncodableVector(); vec.add(gn); final GeneralNames gns = GeneralNames.getInstance(new DERSequence(vec)); issuers.add(gns); } } final ArrayList<DistributionPoint> distpoints = new ArrayList<DistributionPoint>(); if ((!issuers.isEmpty()) || (!dpns.isEmpty())) { int i = dpns.size(); if (issuers.size() > i) { i = issuers.size(); } for (int j = 0; j < i; j++) { DistributionPointName dpn = null; GeneralNames issuer = null; if (dpns.size() > j) { dpn = (DistributionPointName) dpns.get(j); } if (issuers.size() > j) { issuer = (GeneralNames) issuers.get(j); } if ((dpn != null) || (issuer != null)) { distpoints.add(new DistributionPoint(dpn, null, issuer)); } } } CRLDistPoint ret = null; if (!distpoints.isEmpty()) { ret = new CRLDistPoint( (DistributionPoint[]) distpoints.toArray(new DistributionPoint[distpoints.size()])); } if (ret == null) { log.error("DrlDistributionPoints missconfigured, no distribution points available."); } return ret; }
From source file:org.cesecore.certificates.certificate.certextensions.standard.DocumentTypeList.java
License:Open Source License
@Override public ASN1Encodable getValue(final EndEntityInformation subject, final CA ca, final CertificateProfile certProfile, final PublicKey userPublicKey, final PublicKey caPublicKey, CertificateValidity val) { ArrayList<String> docTypes = certProfile.getDocumentTypeList(); if (docTypes.size() == 0) { if (log.isDebugEnabled()) { log.debug("No DocumentTypeList to make a certificate extension"); }/* ww w . j a v a2s . com*/ return null; } ASN1EncodableVector vec = new ASN1EncodableVector(); // version vec.add(new ASN1Integer(0)); // Add SET OF DocumentType Iterator<String> itr = docTypes.iterator(); while (itr.hasNext()) { String type = itr.next(); vec.add(new DERSet(new ASN1Encodable[] { new DERPrintableString(type) })); } ASN1Object gn = new DERSequence(vec); if (log.isDebugEnabled()) { log.debug("Constructed DocumentTypeList:"); log.debug(ASN1Dump.dumpAsString(gn, true)); } return gn; }
From source file:org.cesecore.certificates.certificate.certextensions.standard.FreshestCrl.java
License:Open Source License
@Override public ASN1Encodable getValue(final EndEntityInformation subject, final CA ca, final CertificateProfile certProfile, final PublicKey userPublicKey, final PublicKey caPublicKey, CertificateValidity val) throws CertificateExtensionException { String freshestcrldistpoint = certProfile.getFreshestCRLURI(); final X509CA x509ca = (X509CA) ca; if (certProfile.getUseCADefinedFreshestCRL()) { freshestcrldistpoint = x509ca.getCADefinedFreshestCRL(); }/*from w ww . j a v a 2 s . c o m*/ // Multiple FCDPs are separated with the ';' sign CRLDistPoint ret = null; if (freshestcrldistpoint != null) { final StringTokenizer tokenizer = new StringTokenizer(freshestcrldistpoint, ";", false); final ArrayList<DistributionPoint> distpoints = new ArrayList<DistributionPoint>(); while (tokenizer.hasMoreTokens()) { final String uri = tokenizer.nextToken(); final GeneralName gn = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(uri)); if (log.isDebugEnabled()) { log.debug("Added freshest CRL distpoint: " + uri); } final ASN1EncodableVector vec = new ASN1EncodableVector(); vec.add(gn); final GeneralNames gns = GeneralNames.getInstance(new DERSequence(vec)); final DistributionPointName dpn = new DistributionPointName(0, gns); distpoints.add(new DistributionPoint(dpn, null, null)); } if (!distpoints.isEmpty()) { ret = new CRLDistPoint( (DistributionPoint[]) distpoints.toArray(new DistributionPoint[distpoints.size()])); } } if (ret == null) { log.error("UseFreshestCRL is true, but no URI string defined!"); } return ret; }
From source file:org.cesecore.certificates.certificate.certextensions.standard.PrivateKeyUsagePeriod.java
License:Open Source License
private static DERSequence privateKeyUsagePeriod(final Date notBefore, final Date notAfter) throws CertificateExtensionException { // Create the extension. // PrivateKeyUsagePeriod ::= SEQUENCE { // notBefore [0] GeneralizedTime OPTIONAL, // notAfter [1] GeneralizedTime OPTIONAL } final ASN1EncodableVector v = new ASN1EncodableVector(); if (notBefore != null) { v.add(new DERTaggedObject(false, 0, new DERGeneralizedTime(notBefore))); }/*from www . jav a 2 s . c o m*/ if (notAfter != null) { v.add(new DERTaggedObject(false, 1, new DERGeneralizedTime(notAfter))); } if (v.size() == 0) { throw new CertificateExtensionException("At least one of notBefore and notAfter must be specified!"); } return new DERSequence(v); }
From source file:org.cesecore.certificates.certificate.certextensions.standard.QcStatement.java
License:Open Source License
@Override public ASN1Encodable getValue(final EndEntityInformation subject, final CA ca, final CertificateProfile certProfile, final PublicKey userPublicKey, final PublicKey caPublicKey, CertificateValidity val) throws CertificateExtensionException { DERSequence ret = null;// w w w . java 2 s . co m final String names = certProfile.getQCStatementRAName(); final GeneralNames san = CertTools.getGeneralNamesFromAltName(names); SemanticsInformation si = null; if (san != null) { if (StringUtils.isNotEmpty(certProfile.getQCSemanticsId())) { si = new SemanticsInformation(new ASN1ObjectIdentifier(certProfile.getQCSemanticsId()), san.getNames()); } else { si = new SemanticsInformation(san.getNames()); } } else if (StringUtils.isNotEmpty(certProfile.getQCSemanticsId())) { si = new SemanticsInformation(new ASN1ObjectIdentifier(certProfile.getQCSemanticsId())); } final ArrayList<QCStatement> qcs = new ArrayList<QCStatement>(); QCStatement qc = null; // First the standard rfc3739 QCStatement with an optional SematicsInformation // We never add RFC3739QCObjectIdentifiers.id_qcs_pkixQCSyntax_v1. This is so old so we think it has never been used in the wild basically. // That means no need to have code we have to maintain for that. if (certProfile.getUsePkixQCSyntaxV2()) { ASN1ObjectIdentifier pkixQcSyntax = RFC3739QCObjectIdentifiers.id_qcs_pkixQCSyntax_v2; if ((si != null)) { qc = new QCStatement(pkixQcSyntax, si); qcs.add(qc); } else { qc = new QCStatement(pkixQcSyntax); qcs.add(qc); } } // ETSI Statement that the certificate is a Qualified Certificate if (certProfile.getUseQCEtsiQCCompliance()) { qc = new QCStatement(ETSIQCObjectIdentifiers.id_etsi_qcs_QcCompliance); qcs.add(qc); } // ETSI Statement regarding limit on the value of transactions // Both value and currency must be available for this extension if (certProfile.getUseQCEtsiValueLimit() && (certProfile.getQCEtsiValueLimit() >= 0) && (certProfile.getQCEtsiValueLimitCurrency() != null)) { final int limit = certProfile.getQCEtsiValueLimit(); // The exponent should be default 0 final int exponent = certProfile.getQCEtsiValueLimitExp(); final MonetaryValue value = new MonetaryValue( new Iso4217CurrencyCode(certProfile.getQCEtsiValueLimitCurrency()), limit, exponent); qc = new QCStatement(ETSIQCObjectIdentifiers.id_etsi_qcs_LimiteValue, value); qcs.add(qc); } if (certProfile.getUseQCEtsiRetentionPeriod()) { final ASN1Integer years = new ASN1Integer(((Integer) certProfile.getQCEtsiRetentionPeriod())); qc = new QCStatement(ETSIQCObjectIdentifiers.id_etsi_qcs_RetentionPeriod, years); qcs.add(qc); } // ETSI Statement claiming that the private key resides in a Signature Creation Device if (certProfile.getUseQCEtsiSignatureDevice()) { qc = new QCStatement(ETSIQCObjectIdentifiers.id_etsi_qcs_QcSSCD); qcs.add(qc); } // Custom UTF8String QC-statement: // qcStatement-YourCustom QC-STATEMENT ::= { SYNTAX YourCustomUTF8String // IDENTIFIED BY youroid } // -- This statement gives you the possibility to define your own QC-statement // -- using an OID and a simple UTF8String, with describing text. A sample text could for example be: // -- This certificate, according to Act. No. xxxx Electronic Signature Law is a qualified electronic certificate // // YourCustomUTF8String ::= UTF8String if (certProfile.getUseQCCustomString() && !StringUtils.isEmpty(certProfile.getQCCustomStringOid()) && !StringUtils.isEmpty(certProfile.getQCCustomStringText())) { final DERUTF8String str = new DERUTF8String(certProfile.getQCCustomStringText()); final ASN1ObjectIdentifier oid = new ASN1ObjectIdentifier(certProfile.getQCCustomStringOid()); qc = new QCStatement(oid, str); qcs.add(qc); } if (!qcs.isEmpty()) { final ASN1EncodableVector vec = new ASN1EncodableVector(); final Iterator<QCStatement> iter = qcs.iterator(); while (iter.hasNext()) { final QCStatement q = (QCStatement) iter.next(); vec.add(q); } ret = new DERSequence(vec); } if (ret == null) { log.error( "Qualified certificate statements extension has been enabled, but no statements were included!"); throw new CertificateExtensionException( "If qualified certificate statements extension has been enabled, at least one statement must be included!"); } return ret; }