/** * Sets the subjectKeyIdentifier and serialNumber criteria from the * authority key identifier extension. * * The subjectKeyIdentifier criterion is set to the keyIdentifier field * of the extension, or null if it is empty. The serialNumber criterion * is set to the authorityCertSerialNumber field, or null if it is empty. * * Note that we do not set the subject criterion to the * authorityCertIssuer field of the extension. The caller MUST set * the subject criterion before calling match(). * * @param ext the authorityKeyIdentifier extension * @throws IOException if there is an error parsing the extension */ void setSkiAndSerialNumber(AuthorityKeyIdentifierExtension ext) throws IOException { ski = null; serial = null; if (ext != null) { KeyIdentifier akid = (KeyIdentifier)ext.get( AuthorityKeyIdentifierExtension.KEY_ID); if (akid != null) { DerOutputStream derout = new DerOutputStream(); derout.putOctetString(akid.getIdentifier()); ski = derout.toByteArray(); } SerialNumber asn = (SerialNumber)ext.get( AuthorityKeyIdentifierExtension.SERIAL_NUMBER); if (asn != null) { serial = asn.getNumber(); } // the subject criterion should be set by the caller } }
/** * Sets the subjectKeyIdentifier and serialNumber criteria from the * authority key identifier extension. * * The subjectKeyIdentifier criterion is set to the keyIdentifier field * of the extension, or null if it is empty. The serialNumber criterion * is set to the authorityCertSerialNumber field, or null if it is empty. * * Note that we do not set the subject criterion to the * authorityCertIssuer field of the extension. The caller MUST set * the subject criterion before calling match(). * * @param ext the authorityKeyIdentifier extension * @throws IOException if there is an error parsing the extension */ void setSkiAndSerialNumber(AuthorityKeyIdentifierExtension ext) throws IOException { ski = null; serial = null; if (ext != null) { ski = ext.getEncodedKeyIdentifier(); SerialNumber asn = (SerialNumber)ext.get( AuthorityKeyIdentifierExtension.SERIAL_NUMBER); if (asn != null) { serial = asn.getNumber(); } // the subject criterion should be set by the caller } }
ESSCertId(DerValue certId) throws IOException { // Parse certHash certHash = certId.data.getDerValue().toByteArray(); // Parse issuerSerial, if present if (certId.data.available() > 0) { DerValue issuerSerial = certId.data.getDerValue(); // Parse issuer issuer = new GeneralNames(issuerSerial.data.getDerValue()); // Parse serialNumber serialNumber = new SerialNumber(issuerSerial.data.getDerValue()); } }
/** * Parse the authority key identifier extension. * * If the keyIdentifier field of the extension is non-null, set the * subjectKeyIdentifier criterion. If the authorityCertSerialNumber * field is non-null, set the serialNumber criterion. * * Note that we will not set the subject criterion according to the * authorityCertIssuer field of the extension. The caller MUST set * the subject criterion before call match(). * * @param akidext the authorityKeyIdentifier extension */ void parseAuthorityKeyIdentifierExtension( AuthorityKeyIdentifierExtension akidext) throws IOException { if (akidext != null) { KeyIdentifier akid = (KeyIdentifier)akidext.get(akidext.KEY_ID); if (akid != null) { // Do not override the previous setting for initial selection. if (isSKIDSensitive || getSubjectKeyIdentifier() == null) { DerOutputStream derout = new DerOutputStream(); derout.putOctetString(akid.getIdentifier()); super.setSubjectKeyIdentifier(derout.toByteArray()); isSKIDSensitive = true; } } SerialNumber asn = (SerialNumber)akidext.get(akidext.SERIAL_NUMBER); if (asn != null) { // Do not override the previous setting for initial selection. if (isSNSensitive || getSerialNumber() == null) { super.setSerialNumber(asn.getNumber()); isSNSensitive = true; } } // the subject criterion should be set by the caller. } }
/** * Parse the authority key identifier extension. * * If the keyIdentifier field of the extension is non-null, set the * subjectKeyIdentifier criterion. If the authorityCertSerialNumber * field is non-null, set the serialNumber criterion. * * Note that we will not set the subject criterion according to the * authorityCertIssuer field of the extension. The caller MUST set * the subject criterion before call match(). * * @param akidext the authorityKeyIdentifier extension */ void parseAuthorityKeyIdentifierExtension( AuthorityKeyIdentifierExtension akidext) throws IOException { if (akidext != null) { KeyIdentifier akid = (KeyIdentifier)akidext.get( AuthorityKeyIdentifierExtension.KEY_ID); if (akid != null) { // Do not override the previous setting for initial selection. if (isSKIDSensitive || getSubjectKeyIdentifier() == null) { DerOutputStream derout = new DerOutputStream(); derout.putOctetString(akid.getIdentifier()); super.setSubjectKeyIdentifier(derout.toByteArray()); isSKIDSensitive = true; } } SerialNumber asn = (SerialNumber)akidext.get( AuthorityKeyIdentifierExtension.SERIAL_NUMBER); if (asn != null) { // Do not override the previous setting for initial selection. if (isSNSensitive || getSerialNumber() == null) { super.setSerialNumber(asn.getNumber()); isSNSensitive = true; } } // the subject criterion should be set by the caller. } }
/** * Encode the bytes for the TBSCertificate structure: * <PRE> * TBSCertificate ::= SEQUENCE { * version [0] EXPLICIT Version DEFAULT v1, * serialNumber CertificateSerialNumber, * signature AlgorithmIdentifier, * issuer Name, * validity Validity, * subject Name, * subjectPublicKeyInfo SubjectPublicKeyInfo, * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, * -- If present, version MUST be v2 or v3 * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, * -- If present, version MUST be v2 or v3 * extensions [3] EXPLICIT Extensions OPTIONAL * -- If present, version MUST be v3 * } * * @param issuerCert The certificate of the issuing authority, or * {@code null} if the resulting certificate is self-signed. * @param signAlg The signature algorithm object * * @return The DER-encoded bytes for the TBSCertificate structure * * @throws IOException if an encoding error occurs. */ private byte[] encodeTbsCert(X509Certificate issuerCert, AlgorithmId signAlg) throws IOException { DerOutputStream tbsCertSeq = new DerOutputStream(); DerOutputStream tbsCertItems = new DerOutputStream(); // Hardcode to V3 byte[] v3int = {0x02, 0x01, 0x02}; tbsCertItems.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)0), v3int); // Serial Number SerialNumber sn = new SerialNumber(serialNumber); sn.encode(tbsCertItems); // Algorithm ID signAlg.derEncode(tbsCertItems); // Issuer Name if (issuerCert != null) { tbsCertItems.write( issuerCert.getSubjectX500Principal().getEncoded()); } else { // Self-signed tbsCertItems.write(subjectName.getEncoded()); } // Validity period (set as UTCTime) DerOutputStream valSeq = new DerOutputStream(); valSeq.putUTCTime(notBefore); valSeq.putUTCTime(notAfter); tbsCertItems.write(DerValue.tag_Sequence, valSeq); // Subject Name tbsCertItems.write(subjectName.getEncoded()); // SubjectPublicKeyInfo tbsCertItems.write(publicKey.getEncoded()); // TODO: Extensions! encodeExtensions(tbsCertItems); // Wrap it all up in a SEQUENCE and return the bytes tbsCertSeq.write(DerValue.tag_Sequence, tbsCertItems); return tbsCertSeq.toByteArray(); }
/** * Create a StatusInfo object from certificate data. * * @param subjectCert the certificate to be checked for revocation * @param issuerCert the issuer of the {@code subjectCert} * * @throws IOException if CertId creation from the certificates fails */ StatusInfo(X509Certificate subjectCert, X509Certificate issuerCert) throws IOException { this(subjectCert, new CertId(issuerCert, new SerialNumber(subjectCert.getSerialNumber()))); }
