List of usage examples for org.bouncycastle.asn1 ASN1EncodableVector ASN1EncodableVector
public ASN1EncodableVector()
From source file:org.ejbca.core.ejb.ca.sign.SignSessionTest.java
License:Open Source License
public void test29TestExtensionOverride() throws Exception { final String altnames = "dNSName=foo1.bar.com,dNSName=foo2.bar.com,dNSName=foo3.bar.com,dNSName=foo4.bar.com,dNSName=foo5.bar.com,dNSName=foo6.bar.com,dNSName=foo7.bar.com,dNSName=foo8.bar.com,dNSName=foo9.bar.com,dNSName=foo10.bar.com,dNSName=foo11.bar.com,dNSName=foo12.bar.com,dNSName=foo13.bar.com,dNSName=foo14.bar.com,dNSName=foo15.bar.com,dNSName=foo16.bar.com,dNSName=foo17.bar.com,dNSName=foo18.bar.com,dNSName=foo19.bar.com,dNSName=foo20.bar.com,dNSName=foo21.bar.com"; // Create a good certificate profile (good enough), using QC statement certificateProfileSession.removeCertificateProfile(admin, "TESTEXTENSIONOVERRIDE"); EndUserCertificateProfile certprof = new EndUserCertificateProfile(); // Default profile does not allow Extension override certprof.setValidity(298);/*from ww w .j a va 2 s. c o m*/ certificateProfileSession.addCertificateProfile(admin, "TESTEXTENSIONOVERRIDE", certprof); int cprofile = certificateProfileSession.getCertificateProfileId(admin, "TESTEXTENSIONOVERRIDE"); // Create a good end entity profile (good enough), allowing multiple UPN // names endEntityProfileSession.removeEndEntityProfile(admin, "TESTEXTENSIONOVERRIDE"); EndEntityProfile profile = new EndEntityProfile(); profile.addField(DnComponents.COUNTRY); profile.addField(DnComponents.COMMONNAME); profile.setValue(EndEntityProfile.AVAILCAS, 0, Integer.toString(SecConst.ALLCAS)); profile.setValue(EndEntityProfile.AVAILCERTPROFILES, 0, Integer.toString(cprofile)); endEntityProfileSession.addEndEntityProfile(admin, "TESTEXTENSIONOVERRIDE", profile); int eeprofile = endEntityProfileSession.getEndEntityProfileId(admin, "TESTEXTENSIONOVERRIDE"); UserDataVO user = new UserDataVO("foo", "C=SE,CN=extoverride", rsacaid, null, "foo@anatom.nu", SecConst.USER_ENDUSER, eeprofile, cprofile, SecConst.TOKEN_SOFT_PEM, 0, null); user.setPassword("foo123"); user.setStatus(UserDataConstants.STATUS_NEW); // Change a user that we know... userAdminSession.changeUser(admin, user, false); // Create a P10 with extensions, in this case altNames with a lot of DNS // names ASN1EncodableVector extensionattr = new ASN1EncodableVector(); extensionattr.add(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest); // AltNames // String[] namearray = altnames.split(","); GeneralNames san = CertTools.getGeneralNamesFromAltName(altnames); ByteArrayOutputStream extOut = new ByteArrayOutputStream(); DEROutputStream derOut = new DEROutputStream(extOut); try { derOut.writeObject(san); } catch (IOException e) { throw new IllegalArgumentException("error encoding value: " + e); } // Extension request attribute is a set of X509Extensions // ASN1EncodableVector x509extensions = new ASN1EncodableVector(); // An X509Extensions is a sequence of Extension which is a sequence of // {oid, X509Extension} // ASN1EncodableVector extvalue = new ASN1EncodableVector(); Vector<DERObjectIdentifier> oidvec = new Vector<DERObjectIdentifier>(); oidvec.add(X509Extensions.SubjectAlternativeName); Vector<X509Extension> valuevec = new Vector<X509Extension>(); valuevec.add(new X509Extension(false, new DEROctetString(extOut.toByteArray()))); X509Extensions exts = new X509Extensions(oidvec, valuevec); extensionattr.add(new DERSet(exts)); // Complete the Attribute section of the request, the set (Attributes) // contains one sequence (Attribute) ASN1EncodableVector v = new ASN1EncodableVector(); v.add(new DERSequence(extensionattr)); DERSet attributes = new DERSet(v); // Create PKCS#10 certificate request PKCS10CertificationRequest req = new PKCS10CertificationRequest("SHA1WithRSA", new X509Name("C=SE,CN=extoverride"), rsakeys.getPublic(), attributes, rsakeys.getPrivate()); ByteArrayOutputStream bOut = new ByteArrayOutputStream(); DEROutputStream dOut = new DEROutputStream(bOut); dOut.writeObject(req); dOut.close(); byte[] p10bytes = bOut.toByteArray(); // FileOutputStream fos = new FileOutputStream("/tmp/foo.der"); // fos.write(p10bytes); // fos.close(); PKCS10RequestMessage p10 = new PKCS10RequestMessage(p10bytes); p10.setUsername("foo"); p10.setPassword("foo123"); // See if the request message works... X509Extensions p10exts = p10.getRequestExtensions(); assertNotNull(p10exts); IResponseMessage resp = signSession.createCertificate(admin, p10, org.ejbca.core.protocol.X509ResponseMessage.class, null); X509Certificate cert = (X509Certificate) CertTools.getCertfromByteArray(resp.getResponseMessage()); assertNotNull("Failed to create certificate", cert); assertEquals("CN=extoverride,C=SE", cert.getSubjectDN().getName()); // check altNames, should be none Collection c = cert.getSubjectAlternativeNames(); assertNull(c); // Change so that we allow override of validity time CertificateProfile prof = certificateProfileSession.getCertificateProfile(admin, cprofile); prof.setAllowExtensionOverride(true); certificateProfileSession.changeCertificateProfile(admin, "TESTEXTENSIONOVERRIDE", prof); userAdminSession.changeUser(admin, user, false); resp = signSession.createCertificate(admin, p10, org.ejbca.core.protocol.X509ResponseMessage.class, null); cert = (X509Certificate) CertTools.getCertfromByteArray(resp.getResponseMessage()); assertNotNull("Failed to create certificate", cert); assertEquals("CN=extoverride,C=SE", cert.getSubjectDN().getName()); // check altNames, should be one altName c = cert.getSubjectAlternativeNames(); assertNotNull(c); assertEquals(21, c.size()); String retAltNames = CertTools.getSubjectAlternativeName(cert); List<String> originalNames = Arrays.asList(altnames.split(",")); List<String> returnNames = Arrays.asList(retAltNames.split(", ")); assertTrue(originalNames.containsAll(returnNames)); }
From source file:org.ejbca.core.ejb.ca.sign.SignSessionWithRsaTest.java
License:Open Source License
@Test public void testExtensionOverride() throws Exception { final String altnames = "dNSName=foo1.bar.com,dNSName=foo2.bar.com,dNSName=foo3.bar.com,dNSName=foo4.bar.com,dNSName=foo5.bar.com,dNSName=foo6.bar.com,dNSName=foo7.bar.com," + "dNSName=foo8.bar.com,dNSName=foo9.bar.com,dNSName=foo10.bar.com,dNSName=foo11.bar.com,dNSName=foo12.bar.com,dNSName=foo13.bar.com,dNSName=foo14.bar.com," + "dNSName=foo15.bar.com,dNSName=foo16.bar.com,dNSName=foo17.bar.com,dNSName=foo18.bar.com,dNSName=foo19.bar.com,dNSName=foo20.bar.com,dNSName=foo21.bar.com"; // Create a good certificate profile (good enough), using QC statement final String profileName = "TESTEXTENSIONOVERRIDE"; certificateProfileSession.removeCertificateProfile(internalAdmin, profileName); final CertificateProfile certprof = new CertificateProfile( CertificateProfileConstants.CERTPROFILE_FIXED_ENDUSER); // Default profile does not allow Extension override certprof.setValidity(298);//from w w w . jav a 2 s. co m certificateProfileSession.addCertificateProfile(internalAdmin, profileName, certprof); int cprofile = certificateProfileSession.getCertificateProfileId(profileName); // Create a good end entity profile (good enough), allowing multiple UPN // names endEntityProfileSession.removeEndEntityProfile(internalAdmin, profileName); EndEntityProfile profile = new EndEntityProfile(); profile.addField(DnComponents.COUNTRY); profile.addField(DnComponents.COMMONNAME); profile.setValue(EndEntityProfile.AVAILCAS, 0, Integer.toString(SecConst.ALLCAS)); profile.setValue(EndEntityProfile.AVAILCERTPROFILES, 0, Integer.toString(cprofile)); endEntityProfileSession.addEndEntityProfile(internalAdmin, profileName, profile); try { int eeprofile = endEntityProfileSession.getEndEntityProfileId(profileName); int rsacaid = caSession.getCAInfo(internalAdmin, getTestCAName()).getCAId(); EndEntityInformation user = new EndEntityInformation(RSA_USERNAME, "C=SE,CN=extoverride", rsacaid, null, "foo@anatom.nu", new EndEntityType(EndEntityTypes.ENDUSER), eeprofile, cprofile, SecConst.TOKEN_SOFT_PEM, 0, null); user.setPassword("foo123"); user.setStatus(EndEntityConstants.STATUS_NEW); // Change a user that we know... endEntityManagementSession.changeUser(internalAdmin, user, false); // Create a P10 with extensions, in this case altNames with a lot of DNS // names ASN1EncodableVector extensionattr = new ASN1EncodableVector(); extensionattr.add(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest); GeneralNames san = CertTools.getGeneralNamesFromAltName(altnames); ExtensionsGenerator extgen = new ExtensionsGenerator(); extgen.addExtension(Extension.subjectAlternativeName, false, san); Extensions exts = extgen.generate(); extensionattr.add(new DERSet(exts)); // Complete the Attribute section of the request, the set (Attributes) // contains one sequence (Attribute) ASN1EncodableVector v = new ASN1EncodableVector(); v.add(new DERSequence(extensionattr)); DERSet attributes = new DERSet(v); // Create PKCS#10 certificate request PKCS10CertificationRequest req = CertTools.genPKCS10CertificationRequest("SHA256WithRSA", new X500Name("C=SE,CN=extoverride"), rsakeys.getPublic(), attributes, rsakeys.getPrivate(), null); ByteArrayOutputStream bOut = new ByteArrayOutputStream(); DEROutputStream dOut = new DEROutputStream(bOut); dOut.writeObject(req.toASN1Structure()); dOut.close(); byte[] p10bytes = bOut.toByteArray(); PKCS10RequestMessage p10 = new PKCS10RequestMessage(p10bytes); p10.setUsername(RSA_USERNAME); p10.setPassword("foo123"); // See if the request message works... Extensions p10exts = p10.getRequestExtensions(); assertNotNull(p10exts); ResponseMessage resp = signSession.createCertificate(internalAdmin, p10, X509ResponseMessage.class, null); X509Certificate cert = (X509Certificate) CertTools.getCertfromByteArray(resp.getResponseMessage()); assertNotNull("Failed to create certificate", cert); assertEquals("CN=extoverride,C=SE", cert.getSubjectDN().getName()); // check altNames, should be none Collection<List<?>> c = cert.getSubjectAlternativeNames(); assertNull(c); // Change so that we allow override of validity time CertificateProfile prof = certificateProfileSession.getCertificateProfile(cprofile); prof.setAllowExtensionOverride(true); certificateProfileSession.changeCertificateProfile(internalAdmin, profileName, prof); endEntityManagementSession.changeUser(internalAdmin, user, false); resp = signSession.createCertificate(internalAdmin, p10, X509ResponseMessage.class, null); cert = (X509Certificate) CertTools.getCertfromByteArray(resp.getResponseMessage()); assertNotNull("Failed to create certificate", cert); assertEquals("CN=extoverride,C=SE", cert.getSubjectDN().getName()); // check altNames, should be one altName c = cert.getSubjectAlternativeNames(); assertNotNull(c); assertEquals(21, c.size()); String retAltNames = CertTools.getSubjectAlternativeName(cert); List<String> originalNames = Arrays.asList(altnames.split(",")); List<String> returnNames = Arrays.asList(retAltNames.split(", ")); assertTrue(originalNames.containsAll(returnNames)); } finally { certificateProfileSession.removeCertificateProfile(internalAdmin, profileName); endEntityProfileSession.removeEndEntityProfile(internalAdmin, profileName); } }
From source file:org.ejbca.core.model.ca.caadmin.X509CA.java
License:Open Source License
/** * @see CA#createRequest(Collection, String, Certificate, int) *//*from w w w .j a v a 2 s .c om*/ public byte[] createRequest(Collection<DEREncodable> attributes, String signAlg, Certificate cacert, int signatureKeyPurpose) throws CATokenOfflineException { log.trace( ">createRequest: " + signAlg + ", " + CertTools.getSubjectDN(cacert) + ", " + signatureKeyPurpose); ASN1Set attrset = new DERSet(); if (attributes != null) { log.debug("Adding attributes in the request"); Iterator<DEREncodable> iter = attributes.iterator(); ASN1EncodableVector vec = new ASN1EncodableVector(); while (iter.hasNext()) { DEREncodable o = (DEREncodable) iter.next(); vec.add(o); attrset = new DERSet(vec); } } X509NameEntryConverter converter = null; if (getUsePrintableStringSubjectDN()) { converter = new PrintableStringEntryConverter(); } else { converter = new X509DefaultEntryConverter(); } X509Name x509dn = CertTools.stringToBcX509Name(getSubjectDN(), converter, getUseLdapDNOrder()); PKCS10CertificationRequest req; try { CATokenContainer catoken = getCAToken(); KeyPair keyPair = new KeyPair(catoken.getPublicKey(signatureKeyPurpose), catoken.getPrivateKey(signatureKeyPurpose)); if (keyPair == null) { throw new IllegalArgumentException( "Keys for key purpose " + signatureKeyPurpose + " does not exist."); } req = new PKCS10CertificationRequest(signAlg, x509dn, keyPair.getPublic(), attrset, keyPair.getPrivate(), catoken.getProvider()); log.trace("<createRequest"); return req.getEncoded(); } catch (CATokenOfflineException e) { throw e; } catch (Exception e) { throw new RuntimeException(e); } }
From source file:org.ejbca.core.model.ca.caadmin.X509CA.java
License:Open Source License
/** Generate a list of Distribution points. * @param distPoints distribution points as String in semi column (';') separated format. * @return list of distribution points./*from w w w . j a va 2 s .c o m*/ */ private List<DistributionPoint> generateDistributionPoints(String distPoints) { if (distPoints == null) { distPoints = ""; } // Multiple CDPs are separated with the ';' sign Iterator<String> it = StringTools.splitURIs(distPoints).iterator(); ArrayList<DistributionPoint> result = new ArrayList<DistributionPoint>(); while (it.hasNext()) { String uri = (String) it.next(); GeneralName gn = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(uri)); if (log.isDebugEnabled()) { log.debug("Added CRL distpoint: " + uri); } ASN1EncodableVector vec = new ASN1EncodableVector(); vec.add(gn); GeneralNames gns = new GeneralNames(new DERSequence(vec)); DistributionPointName dpn = new DistributionPointName(0, gns); result.add(new DistributionPoint(dpn, null, null)); } return result; }
From source file:org.ejbca.core.model.ca.certextensions.BasicCertificateExtension.java
License:Open Source License
/** * This certificate extension implementations overrides this method as it * want to be able to return a byte[] with the extension value. Otherwise * the implementation could have been put in the getValue method as the * super class CertificateExtension has a default implementation for * getValueEncoded which calls getValue. * @see CertificateExtension#getValueEncoded(UserDataVO, CA, CertificateProfile, PublicKey, PublicKey) *//*from ww w. j ava2 s. co m*/ @Override public byte[] getValueEncoded(UserDataVO userData, CA ca, CertificateProfile certProfile, PublicKey userPublicKey, PublicKey caPublicKey) throws CertificateExtensionException, CertificateExtentionConfigurationException { final byte[] result; String encoding = StringUtils.trim(getProperties().getProperty(PROPERTY_ENCODING)); String[] values = getValues(userData); if (log.isDebugEnabled()) { log.debug("Got extension values: " + Arrays.toString(values)); } if (values == null || values.length == 0) { throw new CertificateExtentionConfigurationException( intres.getLocalizedMessage("certext.basic.incorrectvalue", Integer.valueOf(getId()), getOID())); } if (encoding.equalsIgnoreCase(ENCODING_RAW)) { if (values.length > 1) { // nvalues can not be used together with encoding=RAW throw new CertificateExtentionConfigurationException( intres.getLocalizedMessage("certext.certextmissconfigured", Integer.valueOf(getId()))); } else { result = parseRaw(values[0]); } } else { if (values.length > 1) { ASN1EncodableVector ev = new ASN1EncodableVector(); for (String value : values) { DEREncodable derval = parseValue(encoding, value); ev.add(derval); } result = new DERSequence(ev).getDEREncoded(); } else { result = parseValue(encoding, values[0]).getDERObject().getDEREncoded(); } } return result; }
From source file:org.ejbca.core.model.ca.certextensions.BasicCertificateExtension.java
License:Open Source License
/** * Tries to read the hex-string as an DERObject. If it contains more than one DEREncodable object, return a DERSequence of the objects. */// w ww . j a v a2 s . co m private DEREncodable parseHexEncodedDERObject(String value) throws CertificateExtentionConfigurationException { DEREncodable retval = null; if (value.matches("^\\p{XDigit}*")) { byte[] bytes = Hex.decode(value); try { ASN1InputStream ais = new ASN1InputStream(bytes); DEREncodable firstObject = ais.readObject(); if (ais.available() > 0) { ASN1EncodableVector ev = new ASN1EncodableVector(); ev.add(firstObject); while (ais.available() > 0) { ev.add(ais.readObject()); } retval = new DERSequence(ev); } else { retval = firstObject; } } catch (Exception e) { throw new CertificateExtentionConfigurationException(intres.getLocalizedMessage( "certext.basic.illegalvalue", value, Integer.valueOf(getId()), getOID())); } } else { throw new CertificateExtentionConfigurationException(intres .getLocalizedMessage("certext.basic.illegalvalue", value, Integer.valueOf(getId()), getOID())); } return retval; }
From source file:org.ejbca.core.model.ca.certextensions.standard.AuthorityInformationAccess.java
License:Open Source License
@Override public DEREncodable getValue(final UserDataVO subject, final CA ca, final CertificateProfile certProfile, final PublicKey userPublicKey, final PublicKey caPublicKey) throws CertificateExtentionConfigurationException, CertificateExtensionException { final ASN1EncodableVector accessList = new ASN1EncodableVector(); GeneralName accessLocation;/*from www .ja va 2s. c om*/ String url; // caIssuers final List<String> caIssuers = certProfile.getCaIssuers(); if (caIssuers != null) { for (final Iterator<String> it = caIssuers.iterator(); it.hasNext();) { url = it.next(); if (StringUtils.isNotEmpty(url)) { accessLocation = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(url)); accessList.add(new AccessDescription(AccessDescription.id_ad_caIssuers, accessLocation)); } } } // ocsp url final X509CA x509ca = (X509CA) ca; url = certProfile.getOCSPServiceLocatorURI(); if (certProfile.getUseDefaultOCSPServiceLocator()) { url = x509ca.getDefaultOCSPServiceLocator(); } if (StringUtils.isNotEmpty(url)) { accessLocation = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(url)); accessList.add(new AccessDescription(AccessDescription.id_ad_ocsp, accessLocation)); } org.bouncycastle.asn1.x509.AuthorityInformationAccess ret = null; if (accessList.size() > 0) { ret = new org.bouncycastle.asn1.x509.AuthorityInformationAccess(new DERSequence(accessList)); } if (ret == null) { log.error("AuthorityInformationAccess is used, but nor caIssuers not Ocsp url are defined!"); } return ret; }
From source file:org.ejbca.core.model.ca.certextensions.standard.AuthorityKeyIdentifier.java
License:Open Source License
@Override public DEREncodable getValue(final UserDataVO subject, final CA ca, final CertificateProfile certProfile, final PublicKey userPublicKey, final PublicKey caPublicKey) throws CertificateExtentionConfigurationException, CertificateExtensionException { org.bouncycastle.asn1.x509.AuthorityKeyIdentifier ret = null; // Default value is that we calculate it from scratch! // (If this is a root CA we must calculate the AuthorityKeyIdentifier from scratch) // (If the CA signing this cert does not have a SubjectKeyIdentifier we must calculate the AuthorityKeyIdentifier from scratch) try {/*w ww .ja v a 2 s .co m*/ final byte[] keybytes = caPublicKey.getEncoded(); final SubjectPublicKeyInfo apki = new SubjectPublicKeyInfo( (ASN1Sequence) new ASN1InputStream(new ByteArrayInputStream(keybytes)).readObject()); ret = new org.bouncycastle.asn1.x509.AuthorityKeyIdentifier(apki); // If we have a CA-certificate (i.e. this is not a Root CA), we must take the authority key identifier from // the CA-certificates SubjectKeyIdentifier if it exists. If we don't do that we will get the wrong identifier if the // CA does not follow RFC3280 (guess if MS-CA follows RFC3280?) final X509Certificate cacert = (X509Certificate) ca.getCACertificate(); final boolean isRootCA = (certProfile.getType() == CertificateProfile.TYPE_ROOTCA); if ((cacert != null) && (!isRootCA)) { byte[] akibytes; akibytes = CertTools.getSubjectKeyId(cacert); if (akibytes != null) { // TODO: The code below is snipped from AuthorityKeyIdentifier.java in BC 1.36, because there is no method there // to set only a pre-computed key identifier // This should be replaced when such a method is added to BC final ASN1OctetString keyidentifier = new DEROctetString(akibytes); final ASN1EncodableVector v = new ASN1EncodableVector(); v.add(new DERTaggedObject(false, 0, keyidentifier)); final ASN1Sequence seq = new DERSequence(v); ret = new org.bouncycastle.asn1.x509.AuthorityKeyIdentifier(seq); log.debug("Using AuthorityKeyIdentifier from CA-certificates SubjectKeyIdentifier."); } } } catch (IOException e) { throw new CertificateExtensionException("IOException parsing CA public key: " + e.getMessage(), e); } if (ret == null) { log.error("AuthorityKeyIdentifier is used, but no key identifier can be created!"); } return ret; }
From source file:org.ejbca.core.model.ca.certextensions.standard.CertificatePolicies.java
License:Open Source License
@Override public DEREncodable getValue(final UserDataVO subject, final CA ca, final CertificateProfile certProfile, final PublicKey userPublicKey, final PublicKey caPublicKey) throws CertificateExtentionConfigurationException, CertificateExtensionException { DERSequence ret = null;/*from www . j a v a2 s .c o m*/ // The UserNotice policy qualifier can have two different character encodings, // the correct one (UTF8) or the wrong one (BMP) used by IE < 7. final X509CA x509ca = (X509CA) ca; int displayencoding = DisplayText.CONTENT_TYPE_BMPSTRING; if (x509ca.getUseUTF8PolicyText()) { displayencoding = DisplayText.CONTENT_TYPE_UTF8STRING; } // Iterate through policies and add oids and policy qualifiers if they exist final List policies = certProfile.getCertificatePolicies(); final Map policiesMap = new HashMap(); //<DERObjectIdentifier, ASN1EncodableVector> // Each Policy OID can be entered several times, with different qualifiers, // because of this we make a map of oid and qualifiers, and we can add a new qualifier // in each round of this for loop for (final Iterator it = policies.iterator(); it.hasNext();) { final CertificatePolicy policy = (CertificatePolicy) it.next(); final DERObjectIdentifier oid = new DERObjectIdentifier(policy.getPolicyID()); final ASN1EncodableVector qualifiers; if (policiesMap.containsKey(oid)) { qualifiers = (ASN1EncodableVector) policiesMap.get(oid); } else { qualifiers = new ASN1EncodableVector(); } final PolicyQualifierInfo pqi = getPolicyQualifierInformation(policy, displayencoding); if (pqi != null) { qualifiers.add(pqi); } policiesMap.put(oid, qualifiers); } final ASN1EncodableVector seq = new ASN1EncodableVector(); for (final Iterator it = policiesMap.keySet().iterator(); it.hasNext();) { final DERObjectIdentifier oid = (DERObjectIdentifier) it.next(); final ASN1EncodableVector qualifiers = (ASN1EncodableVector) policiesMap.get(oid); if (qualifiers.size() == 0) { seq.add(new PolicyInformation(oid, null)); } else { seq.add(new PolicyInformation(oid, new DERSequence(qualifiers))); } } if (seq.size() > 0) { ret = new DERSequence(seq); } if (ret == null) { log.error("Certificate policies missconfigured, no policies present!"); } return ret; }
From source file:org.ejbca.core.model.ca.certextensions.standard.CrlDistributionPoints.java
License:Open Source License
@Override public DEREncodable getValue(final UserDataVO subject, final CA ca, final CertificateProfile certProfile, final PublicKey userPublicKey, final PublicKey caPublicKey) throws CertificateExtentionConfigurationException, CertificateExtensionException { String crldistpoint = certProfile.getCRLDistributionPointURI(); String crlissuer = certProfile.getCRLIssuer(); final X509CA x509ca = (X509CA) ca; if (certProfile.getUseDefaultCRLDistributionPoint()) { crldistpoint = x509ca.getDefaultCRLDistPoint(); crlissuer = x509ca.getDefaultCRLIssuer(); }//w ww .java 2s . c o m // Multiple CDPs are separated with the ';' sign final ArrayList<DistributionPointName> dpns = new ArrayList<DistributionPointName>(); if (StringUtils.isNotEmpty(crldistpoint)) { final Iterator<String> it = StringTools.splitURIs(crldistpoint).iterator(); while (it.hasNext()) { // 6 is URI final String uri = (String) it.next(); final GeneralName gn = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(uri)); if (log.isDebugEnabled()) { log.debug("Added CRL distpoint: " + uri); } final ASN1EncodableVector vec = new ASN1EncodableVector(); vec.add(gn); final GeneralNames gns = new GeneralNames(new DERSequence(vec)); final DistributionPointName dpn = new DistributionPointName(0, gns); dpns.add(dpn); } } // CRL issuer works much like Dist point URI. If separated by ; it is put in the same global distPoint as the URI, // if there is more of one of them, the one with more is put in an own global distPoint. final ArrayList<GeneralNames> issuers = new ArrayList<GeneralNames>(); if (StringUtils.isNotEmpty(crlissuer)) { final StringTokenizer tokenizer = new StringTokenizer(crlissuer, ";", false); while (tokenizer.hasMoreTokens()) { final String issuer = tokenizer.nextToken(); final GeneralName gn = new GeneralName(new X509Name(issuer)); if (log.isDebugEnabled()) { log.debug("Added CRL issuer: " + issuer); } final ASN1EncodableVector vec = new ASN1EncodableVector(); vec.add(gn); final GeneralNames gns = new GeneralNames(new DERSequence(vec)); issuers.add(gns); } } final ArrayList<DistributionPoint> distpoints = new ArrayList<DistributionPoint>(); if ((!issuers.isEmpty()) || (!dpns.isEmpty())) { int i = dpns.size(); if (issuers.size() > i) { i = issuers.size(); } for (int j = 0; j < i; j++) { DistributionPointName dpn = null; GeneralNames issuer = null; if (dpns.size() > j) { dpn = (DistributionPointName) dpns.get(j); } if (issuers.size() > j) { issuer = (GeneralNames) issuers.get(j); } if ((dpn != null) || (issuer != null)) { distpoints.add(new DistributionPoint(dpn, null, issuer)); } } } CRLDistPoint ret = null; if (!distpoints.isEmpty()) { ret = new CRLDistPoint( (DistributionPoint[]) distpoints.toArray(new DistributionPoint[distpoints.size()])); } if (ret == null) { log.error("DrlDistributionPoints missconfigured, no distribution points available."); } return ret; }