/** * Sets the subjectKeyIdentifier and serialNumber criteria from the * authority key identifier extension. * * The subjectKeyIdentifier criterion is set to the keyIdentifier field * of the extension, or null if it is empty. The serialNumber criterion * is set to the authorityCertSerialNumber field, or null if it is empty. * * Note that we do not set the subject criterion to the * authorityCertIssuer field of the extension. The caller MUST set * the subject criterion before calling match(). * * @param ext the authorityKeyIdentifier extension * @throws IOException if there is an error parsing the extension */ void setSkiAndSerialNumber(AuthorityKeyIdentifierExtension ext) throws IOException { ski = null; serial = null; if (ext != null) { KeyIdentifier akid = (KeyIdentifier)ext.get( AuthorityKeyIdentifierExtension.KEY_ID); if (akid != null) { DerOutputStream derout = new DerOutputStream(); derout.putOctetString(akid.getIdentifier()); ski = derout.toByteArray(); } SerialNumber asn = (SerialNumber)ext.get( AuthorityKeyIdentifierExtension.SERIAL_NUMBER); if (asn != null) { serial = asn.getNumber(); } // the subject criterion should be set by the caller } }
/** * Constructs a {@code ResponderId} object from its DER-encoding. * * @param encodedData the DER-encoded bytes * * @throws IOException if the encodedData is not properly DER encoded */ public ResponderId(byte[] encodedData) throws IOException { DerValue outer = new DerValue(encodedData); if (outer.isContextSpecific((byte)Type.BY_NAME.value()) && outer.isConstructed()) { // Use the X500Principal constructor as a way to sanity // check the incoming data. responderName = new X500Principal(outer.getDataBytes()); encodedRid = principalToBytes(); type = Type.BY_NAME; } else if (outer.isContextSpecific((byte)Type.BY_KEY.value()) && outer.isConstructed()) { // Use the KeyIdentifier constructor as a way to sanity // check the incoming data. responderKeyId = new KeyIdentifier(new DerValue(outer.getDataBytes())); encodedRid = keyIdToBytes(); type = Type.BY_KEY; } else { throw new IOException("Invalid ResponderId content"); } }
private void testAuthorityKeyIdentifier() throws IOException { System.out.println("X.509 Certificate Match on authorityKeyIdentifier"); // bad match X509CertSelector selector = new X509CertSelector(); byte[] b = { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 }; AuthorityKeyIdentifierExtension a = new AuthorityKeyIdentifierExtension(new KeyIdentifier(b), null, null); selector.setAuthorityKeyIdentifier(a.getExtensionValue()); checkMatch(selector, cert, false); // good match DerInputStream in = new DerInputStream(cert.getExtensionValue("2.5.29.35")); byte[] encoded = in.getOctetString(); selector.setAuthorityKeyIdentifier(encoded); checkMatch(selector, cert, true); }
@Override public Map.Entry<Boolean, String> runTest() { Boolean pass = Boolean.FALSE; String message = null; try { // Test methods for pulling out the underlying // KeyIdentifier object. Note: There is a minute chance that // an RSA public key, once hashed into a key ID might collide // with the one extracted from the certificate used to create // respByKeyId. This is so unlikely to happen it is considered // virtually impossible. KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA"); kpg.initialize(2048); KeyPair rsaKey = kpg.generateKeyPair(); KeyIdentifier testKeyId = new KeyIdentifier(rsaKey.getPublic()); if (respByKeyId.getKeyIdentifier().equals(testKeyId)) { message = "Unexpected match in ResponderId Key ID"; } else if (respByName.getKeyIdentifier() != null) { message = "Non-null key ID returned from " + "ResponderId constructed byName"; } else { pass = Boolean.TRUE; } } catch (Exception e) { e.printStackTrace(System.out); message = e.getClass().getName(); } return new AbstractMap.SimpleEntry<>(pass, message); }
/** * Parse the authority key identifier extension. * * If the keyIdentifier field of the extension is non-null, set the * subjectKeyIdentifier criterion. If the authorityCertSerialNumber * field is non-null, set the serialNumber criterion. * * Note that we will not set the subject criterion according to the * authorityCertIssuer field of the extension. The caller MUST set * the subject criterion before call match(). * * @param akidext the authorityKeyIdentifier extension */ void parseAuthorityKeyIdentifierExtension( AuthorityKeyIdentifierExtension akidext) throws IOException { if (akidext != null) { KeyIdentifier akid = (KeyIdentifier)akidext.get(akidext.KEY_ID); if (akid != null) { // Do not override the previous setting for initial selection. if (isSKIDSensitive || getSubjectKeyIdentifier() == null) { DerOutputStream derout = new DerOutputStream(); derout.putOctetString(akid.getIdentifier()); super.setSubjectKeyIdentifier(derout.toByteArray()); isSKIDSensitive = true; } } SerialNumber asn = (SerialNumber)akidext.get(akidext.SERIAL_NUMBER); if (asn != null) { // Do not override the previous setting for initial selection. if (isSNSensitive || getSerialNumber() == null) { super.setSerialNumber(asn.getNumber()); isSNSensitive = true; } } // the subject criterion should be set by the caller. } }
/** * Parse the authority key identifier extension. * * If the keyIdentifier field of the extension is non-null, set the * subjectKeyIdentifier criterion. If the authorityCertSerialNumber * field is non-null, set the serialNumber criterion. * * Note that we will not set the subject criterion according to the * authorityCertIssuer field of the extension. The caller MUST set * the subject criterion before call match(). * * @param akidext the authorityKeyIdentifier extension */ void parseAuthorityKeyIdentifierExtension( AuthorityKeyIdentifierExtension akidext) throws IOException { if (akidext != null) { KeyIdentifier akid = (KeyIdentifier)akidext.get( AuthorityKeyIdentifierExtension.KEY_ID); if (akid != null) { // Do not override the previous setting for initial selection. if (isSKIDSensitive || getSubjectKeyIdentifier() == null) { DerOutputStream derout = new DerOutputStream(); derout.putOctetString(akid.getIdentifier()); super.setSubjectKeyIdentifier(derout.toByteArray()); isSKIDSensitive = true; } } SerialNumber asn = (SerialNumber)akidext.get( AuthorityKeyIdentifierExtension.SERIAL_NUMBER); if (asn != null) { // Do not override the previous setting for initial selection. if (isSNSensitive || getSerialNumber() == null) { super.setSerialNumber(asn.getNumber()); isSNSensitive = true; } } // the subject criterion should be set by the caller. } }
/** * Constructs a {@code ResponderId} object using a {@code PublicKey}. * When encoded in DER this object will use the byKey option, a * SHA-1 hash of the responder's public key. * * @param pubKey the the OCSP responder's public key * * @throws IOException if the internal DER-encoding of the * {@code KeyIdentifier} fails. */ public ResponderId(PublicKey pubKey) throws IOException { responderKeyId = new KeyIdentifier(pubKey); responderName = null; encodedRid = keyIdToBytes(); type = Type.BY_KEY; }
/** * Obtain the underlying key identifier from a {@code ResponderId} * * @return the {@code KeyIdentifier} for this {@code ResponderId} if it * is a BY_KEY variant. If the {@code ResponderId} is a BY_NAME * variant, this routine will return {@code null}. */ public KeyIdentifier getKeyIdentifier() { return responderKeyId; }
/** * Add the Authority Key Identifier extension. * * @param authorityKey The public key of the issuing authority. * * @throws IOException if an encoding error occurs. */ public void addAuthorityKeyIdExt(PublicKey authorityKey) throws IOException { KeyIdentifier kid = new KeyIdentifier(authorityKey); addExtension(new AuthorityKeyIdentifierExtension(kid, null, null)); }
/** * Add the Subject Key Identifier extension. * * @param subjectKey The public key to be used in the resulting certificate * * @throws IOException if an encoding error occurs. */ public void addSubjectKeyIdExt(PublicKey subjectKey) throws IOException { byte[] keyIdBytes = new KeyIdentifier(subjectKey).getIdentifier(); addExtension(new SubjectKeyIdentifierExtension(keyIdBytes)); }
