/** * return the issuer of the given cert as an X509PrincipalObject. */ public static X509Principal getIssuerX509Principal( X509Certificate cert) throws CertificateEncodingException { try { TBSCertificateStructure tbsCert = TBSCertificateStructure.getInstance( ASN1Primitive.fromByteArray(cert.getTBSCertificate())); return new X509Principal(X509Name.getInstance(tbsCert.getIssuer())); } catch (IOException e) { throw new CertificateEncodingException(e.toString()); } }
/** * return the subject of the given cert as an X509PrincipalObject. */ public static X509Principal getSubjectX509Principal( X509Certificate cert) throws CertificateEncodingException { try { TBSCertificateStructure tbsCert = TBSCertificateStructure.getInstance( ASN1Primitive.fromByteArray(cert.getTBSCertificate())); return new X509Principal(X509Name.getInstance(tbsCert.getSubject())); } catch (IOException e) { throw new CertificateEncodingException(e.toString()); } }
private KeyTransRecipientInfo computeRecipientInfo(X509Certificate x509certificate, byte[] abyte0) throws GeneralSecurityException, IOException { ASN1InputStream asn1inputstream = new ASN1InputStream(new ByteArrayInputStream(x509certificate.getTBSCertificate())); TBSCertificateStructure tbscertificatestructure = TBSCertificateStructure.getInstance(asn1inputstream.readObject()); AlgorithmIdentifier algorithmidentifier = tbscertificatestructure.getSubjectPublicKeyInfo().getAlgorithm(); IssuerAndSerialNumber issuerandserialnumber = new IssuerAndSerialNumber( tbscertificatestructure.getIssuer(), tbscertificatestructure.getSerialNumber().getValue()); Cipher cipher = Cipher.getInstance(algorithmidentifier.getAlgorithm().getId()); cipher.init(1, x509certificate); DEROctetString deroctetstring = new DEROctetString(cipher.doFinal(abyte0)); RecipientIdentifier recipId = new RecipientIdentifier(issuerandserialnumber); return new KeyTransRecipientInfo( recipId, algorithmidentifier, deroctetstring); }
/** * return the issuer of the given cert as an X509PrincipalObject. */ public static X509Principal getIssuerX509Principal( X509Certificate cert) throws CertificateEncodingException { try { ByteArrayInputStream bIn = new ByteArrayInputStream( cert.getTBSCertificate()); ASN1InputStream aIn = new ASN1InputStream(bIn); TBSCertificateStructure tbsCert = new TBSCertificateStructure( (ASN1Sequence)aIn.readObject()); return new X509Principal(tbsCert.getIssuer()); } catch (IOException e) { throw new CertificateEncodingException(e.toString()); } }
/** * return the subject of the given cert as an X509PrincipalObject. */ public static X509Principal getSubjectX509Principal( X509Certificate cert) throws CertificateEncodingException { try { ByteArrayInputStream bIn = new ByteArrayInputStream( cert.getTBSCertificate()); ASN1InputStream aIn = new ASN1InputStream(bIn); TBSCertificateStructure tbsCert = new TBSCertificateStructure( (ASN1Sequence)aIn.readObject()); return new X509Principal(tbsCert.getSubject()); } catch (IOException e) { throw new CertificateEncodingException(e.toString()); } }
protected void checkKeyUsage(TBSCertificateStructure issuer, X509Certificate[] certPath, int index) throws ProxyPathValidatorException, IOException { logger.debug("enter: checkKeyUsage"); boolean[] issuerKeyUsage = getKeyUsage(issuer); if (issuerKeyUsage != null) { if (!issuerKeyUsage[5]) { throw new ProxyPathValidatorException( ProxyPathValidatorException.FAILURE, certPath[index], "KeyUsage extension present but keyCertSign bit not asserted"); } } logger.debug("exit: checkKeyUsage"); }
protected int getCAPathConstraint(TBSCertificateStructure crt) throws IOException { X509Extensions extensions = crt.getExtensions(); if (extensions == null) { return -1; } X509Extension ext = extensions.getExtension(X509Extensions.BasicConstraints); if (ext != null) { BasicConstraints basicExt = BouncyCastleUtil.getBasicConstraints(ext); if (basicExt.isCA()) { BigInteger pathLen = basicExt.getPathLenConstraint(); return (pathLen == null) ? Integer.MAX_VALUE : pathLen.intValue(); } else { return -1; } } return -1; }
protected void checkUnsupportedCriticalExtensions(TBSCertificateStructure crt, int certType, X509Certificate checkedProxy) throws ProxyPathValidatorException { logger.debug("enter: checkUnsupportedCriticalExtensions"); X509Extensions extensions = crt.getExtensions(); if (extensions != null) { Enumeration e = extensions.oids(); while (e.hasMoreElements()) { DERObjectIdentifier oid = (DERObjectIdentifier) e.nextElement(); X509Extension ext = extensions.getExtension(oid); if (ext.isCritical()) { if (oid.equals(X509Extensions.BasicConstraints) || oid.equals(X509Extensions.KeyUsage) || (oid.equals(ProxyCertInfo.OID) && CertUtil.isGsi4Proxy(certType)) || (oid.equals(ProxyCertInfo.OLD_OID) && CertUtil.isGsi3Proxy(certType))) { } else { throw new ProxyPathValidatorException(ProxyPathValidatorException.UNSUPPORTED_EXTENSION, checkedProxy, "Unsuppored critical exception : " + oid.getId()); } } } } logger.debug("exit: checkUnsupportedCriticalExtensions"); }
static TBSCertificateStructure getTBSCertificateStructure( X509Certificate cert) { try { return TBSCertificateStructure.getInstance( ASN1Primitive.fromByteArray(cert.getTBSCertificate())); } catch (Exception e) { throw new IllegalArgumentException( "can't extract TBS structure from this cert"); } }
protected void checkUnsupportedCriticalExtensions(TBSCertificateStructure crt, int certType, X509Certificate checkedProxy) throws ProxyPathValidatorException { logger.debug("enter: checkUnsupportedCriticalExtensions"); X509Extensions extensions = crt.getExtensions(); if (extensions != null) { Enumeration e = extensions.oids(); while (e.hasMoreElements()) { DERObjectIdentifier oid = (DERObjectIdentifier)e.nextElement(); X509Extension ext = extensions.getExtension(oid); if (ext.isCritical()) { if (oid.equals(X509Extensions.BasicConstraints) || oid.equals(X509Extensions.KeyUsage) || (oid.equals(ProxyCertInfo.OID) && CertUtil.isGsi4Proxy(certType)) || (oid.equals(ProxyCertInfo.OLD_OID) && CertUtil.isGsi3Proxy(certType))) { } else { throw new ProxyPathValidatorException( ProxyPathValidatorException .UNSUPPORTED_EXTENSION, checkedProxy, "Unsuppored critical exception : " + oid.getId()); } } } } logger.debug("exit: checkUnsupportedCriticalExtensions"); }
protected ProxyCertInfo getProxyCertInfo(TBSCertificateStructure crt) throws IOException { X509Extensions extensions = crt.getExtensions(); if (extensions == null) { return null; } X509Extension ext = extensions.getExtension(ProxyCertInfo.OID); if (ext == null) { ext = extensions.getExtension(ProxyCertInfo.OLD_OID); } return (ext != null) ? BouncyCastleUtil.getProxyCertInfo(ext) : null; }
protected boolean[] getKeyUsage(TBSCertificateStructure crt) throws IOException { X509Extensions extensions = crt.getExtensions(); if (extensions == null) { return null; } X509Extension ext = extensions.getExtension(X509Extensions.KeyUsage); return (ext != null) ? BouncyCastleUtil.getKeyUsage(ext) : null; }
protected void checkRestrictedProxy(TBSCertificateStructure proxy, X509Certificate[] certPath, int index) throws ProxyPathValidatorException, IOException { logger.debug("enter: checkRestrictedProxy"); ProxyCertInfo info = getProxyCertInfo(proxy); // just a sanity check if (info == null) { throw new ProxyPathValidatorException(ProxyPathValidatorException.FAILURE, certPath[index], "Could not retreive ProxyCertInfo extension"); } ProxyPolicy policy = info.getProxyPolicy(); // another sanity check if (policy == null) { throw new ProxyPathValidatorException(ProxyPathValidatorException.FAILURE, certPath[index], "Could not retreive ProxyPolicy from ProxyCertInfo extension"); } String pl = policy.getPolicyLanguage().getId(); ProxyPolicyHandler handler = getProxyPolicyHandler(pl); if (handler == null) { throw new ProxyPathValidatorException(ProxyPathValidatorException.UNKNOWN_POLICY, certPath[index], "Unknown policy: " + pl); } handler.validate(info, certPath, index); logger.debug("exit: checkRestrictedProxy"); }
protected void checkKeyUsage(TBSCertificateStructure issuer, X509Certificate[] certPath, int index) throws ProxyPathValidatorException, IOException { logger.debug("enter: checkKeyUsage"); boolean[] issuerKeyUsage = getKeyUsage(issuer); if (issuerKeyUsage != null) { if (!issuerKeyUsage[5]) { throw new ProxyPathValidatorException(ProxyPathValidatorException.FAILURE, certPath[index], "KeyUsage extension present but keyCertSign bit not asserted"); } } logger.debug("exit: checkKeyUsage"); }
static TBSCertificateStructure getTBSCertificateStructure( X509Certificate cert) throws CertificateEncodingException { return TBSCertificateStructure.getInstance(cert.getTBSCertificate()); }
static IssuerAndSerialNumber getIssuerAndSerialNumber(X509Certificate cert) { TBSCertificateStructure tbsCert = getTBSCertificateStructure(cert); return new IssuerAndSerialNumber(tbsCert.getIssuer(), tbsCert.getSerialNumber().getValue()); }
/** * Returns certificate type of the given certificate. * This function calls {@link #getCertificateType(TBSCertificateStructure) * getCertificateType} to get the certificate type. In case * the certificate type was initially determined as * {@link GSIConstants#EEC GSIConstants.EEC} it is checked * against the trusted certificate list to see if it really * is a CA certificate. If the certificate is present in the * trusted certificate list the certificate type is changed * to {@link GSIConstants#CA GSIConstants.CA}. Otherwise, it is * left as it is (This is useful in cases where a valid CA * certificate does not have a BasicConstraints extension) * * @param crt the certificate to get the type of. * @param trustedCerts the trusted certificates to double check the * {@link GSIConstants#EEC GSIConstants.EEC} * certificate against. If null, a default * set of trusted certificate will be loaded * from a standard location. * @return the certificate type. The certificate type is determined * by rules described above. * @exception IOException if something goes wrong. * @exception CertificateException for proxy certificates, if * the issuer DN of the certificate does not match * the subject DN of the certificate without the * last <I>CN</I> component. Also, for GSI-3 proxies * when the <code>ProxyCertInfo</code> extension is * not marked as critical. */ public static int getCertificateType(TBSCertificateStructure crt, TrustedCertificates trustedCerts) throws CertificateException, IOException { int type = getCertificateType(crt); // check subject of the cert in trusted cert list // to make sure the cert is not a ca cert if (type == GSIConstants.EEC) { if (trustedCerts == null) { trustedCerts = TrustedCertificates.getDefaultTrustedCertificates(); } if (trustedCerts != null && trustedCerts.getCertificate(crt.getSubject().toString()) != null) { type = GSIConstants.CA; } } return type; }
protected void checkRestrictedProxy(TBSCertificateStructure proxy, X509Certificate[] certPath, int index) throws ProxyPathValidatorException, IOException { logger.debug("enter: checkRestrictedProxy"); ProxyCertInfo info = getProxyCertInfo(proxy); // just a sanity check if (info == null) { throw new ProxyPathValidatorException( ProxyPathValidatorException.FAILURE, certPath[index], "Could not retreive ProxyCertInfo extension"); } ProxyPolicy policy = info.getProxyPolicy(); // another sanity check if (policy == null) { throw new ProxyPathValidatorException( ProxyPathValidatorException.FAILURE, certPath[index], "Could not retreive ProxyPolicy from ProxyCertInfo extension"); } String pl = policy.getPolicyLanguage().getId(); ProxyPolicyHandler handler = getProxyPolicyHandler(pl); if (handler == null) { throw new ProxyPathValidatorException( ProxyPathValidatorException.UNKNOWN_POLICY, certPath[index], "Unknown policy: " + pl); } handler.validate(info, certPath, index); logger.debug("exit: checkRestrictedProxy"); }
protected int getProxyPathConstraint(TBSCertificateStructure crt) throws IOException { ProxyCertInfo proxyCertExt = getProxyCertInfo(crt); return (proxyCertExt != null) ? proxyCertExt.getPathLenConstraint() : -1; }
/** * Extracts the TBS certificate from the given certificate. * * @param cert the X.509 certificate to extract the TBS certificate from. * @return the TBS certificate * @exception IOException if extraction fails. * @exception CertificateEncodingException if extraction fails. */ public static TBSCertificateStructure getTBSCertificateStructure(X509Certificate cert) throws CertificateEncodingException, IOException { DERObject obj = BouncyCastleUtil.toDERObject(cert.getTBSCertificate()); return TBSCertificateStructure.getInstance(obj); }
