use of com.unboundid.util.OID in project ldapsdk by pingidentity.
the class X509Certificate method toString.
/**
* Appends a string representation of the decoded X.509 certificate to the
* provided buffer.
*
* @param buffer The buffer to which the information should be appended.
*/
public void toString(@NotNull final StringBuilder buffer) {
buffer.append("X509Certificate(version='");
buffer.append(version.getName());
buffer.append("', serialNumber='");
StaticUtils.toHex(serialNumber.toByteArray(), ":", buffer);
buffer.append("', signatureAlgorithmOID='");
buffer.append(signatureAlgorithmOID.toString());
buffer.append('\'');
if (signatureAlgorithmName != null) {
buffer.append(", signatureAlgorithmName='");
buffer.append(signatureAlgorithmName);
buffer.append('\'');
}
buffer.append(", issuerDN='");
buffer.append(issuerDN.toString());
buffer.append("', notBefore='");
buffer.append(StaticUtils.encodeGeneralizedTime(notBefore));
buffer.append("', notAfter='");
buffer.append(StaticUtils.encodeGeneralizedTime(notAfter));
buffer.append("', subjectDN='");
buffer.append(subjectDN.toString());
buffer.append("', publicKeyAlgorithmOID='");
buffer.append(publicKeyAlgorithmOID.toString());
buffer.append('\'');
if (publicKeyAlgorithmName != null) {
buffer.append(", publicKeyAlgorithmName='");
buffer.append(publicKeyAlgorithmName);
buffer.append('\'');
}
buffer.append(", subjectPublicKey=");
if (decodedPublicKey == null) {
buffer.append('\'');
try {
StaticUtils.toHex(encodedPublicKey.getBytes(), ":", buffer);
} catch (final Exception e) {
Debug.debugException(e);
encodedPublicKey.toString(buffer);
}
buffer.append('\'');
} else {
decodedPublicKey.toString(buffer);
if (decodedPublicKey instanceof EllipticCurvePublicKey) {
try {
final OID namedCurveOID = publicKeyAlgorithmParameters.decodeAsObjectIdentifier().getOID();
buffer.append(", ellipticCurvePublicKeyParameters=namedCurve='");
buffer.append(NamedCurve.getNameOrOID(namedCurveOID));
buffer.append('\'');
} catch (final Exception e) {
Debug.debugException(e);
}
}
}
if (issuerUniqueID != null) {
buffer.append(", issuerUniqueID='");
buffer.append(issuerUniqueID.toString());
buffer.append('\'');
}
if (subjectUniqueID != null) {
buffer.append(", subjectUniqueID='");
buffer.append(subjectUniqueID.toString());
buffer.append('\'');
}
if (!extensions.isEmpty()) {
buffer.append(", extensions={");
final Iterator<X509CertificateExtension> iterator = extensions.iterator();
while (iterator.hasNext()) {
iterator.next().toString(buffer);
if (iterator.hasNext()) {
buffer.append(", ");
}
}
buffer.append('}');
}
buffer.append(", signatureValue='");
try {
StaticUtils.toHex(signatureValue.getBytes(), ":", buffer);
} catch (final Exception e) {
Debug.debugException(e);
buffer.append(signatureValue.toString());
}
buffer.append("')");
}
use of com.unboundid.util.OID in project ldapsdk by pingidentity.
the class X509Certificate method generateSelfSignedCertificate.
/**
* Generates a self-signed X.509 certificate with the provided information.
*
* @param signatureAlgorithm The algorithm to use to generate the signature.
* This must not be {@code null}.
* @param keyPair The key pair for the certificate. This must
* not be {@code null}.
* @param subjectDN The subject DN for the certificate. This must
* not be {@code null}.
* @param notBefore The validity start time for the certificate.
* @param notAfter The validity end time for the certificate.
* @param extensions The set of extensions to include in the
* certificate. This may be {@code null} or empty
* if the certificate should not include any
* custom extensions. Note that the generated
* certificate will automatically include a
* {@link SubjectKeyIdentifierExtension}, so that
* should not be provided.
*
* @return An {@code ObjectPair} that contains both the self-signed
* certificate and its corresponding key pair.
*
* @throws CertException If a problem is encountered while creating the
* certificate.
*/
@NotNull()
public static X509Certificate generateSelfSignedCertificate(@NotNull final SignatureAlgorithmIdentifier signatureAlgorithm, @NotNull final KeyPair keyPair, @NotNull final DN subjectDN, final long notBefore, final long notAfter, @Nullable final X509CertificateExtension... extensions) throws CertException {
// Extract the parameters and encoded public key from the generated key
// pair. And while we're at it, generate a subject key identifier from
// the encoded public key.
DecodedPublicKey decodedPublicKey = null;
final ASN1BitString encodedPublicKey;
final ASN1Element publicKeyAlgorithmParameters;
final byte[] subjectKeyIdentifier;
final OID publicKeyAlgorithmOID;
try {
final ASN1Element[] pkElements = ASN1Sequence.decodeAsSequence(keyPair.getPublic().getEncoded()).elements();
final ASN1Element[] pkAlgIDElements = ASN1Sequence.decodeAsSequence(pkElements[0]).elements();
publicKeyAlgorithmOID = pkAlgIDElements[0].decodeAsObjectIdentifier().getOID();
if (pkAlgIDElements.length == 1) {
publicKeyAlgorithmParameters = null;
} else {
publicKeyAlgorithmParameters = pkAlgIDElements[1];
}
encodedPublicKey = pkElements[1].decodeAsBitString();
try {
if (publicKeyAlgorithmOID.equals(PublicKeyAlgorithmIdentifier.RSA.getOID())) {
decodedPublicKey = new RSAPublicKey(encodedPublicKey);
} else if (publicKeyAlgorithmOID.equals(PublicKeyAlgorithmIdentifier.EC.getOID())) {
decodedPublicKey = new EllipticCurvePublicKey(encodedPublicKey);
}
} catch (final Exception e) {
Debug.debugException(e);
}
final MessageDigest sha256 = CryptoHelper.getMessageDigest(SubjectKeyIdentifierExtension.SUBJECT_KEY_IDENTIFIER_DIGEST_ALGORITHM);
subjectKeyIdentifier = sha256.digest(encodedPublicKey.getBytes());
} catch (final Exception e) {
Debug.debugException(e);
throw new CertException(ERR_CERT_GEN_SELF_SIGNED_CANNOT_PARSE_KEY_PAIR.get(StaticUtils.getExceptionMessage(e)), e);
}
// Construct the set of all extensions for the certificate.
final ArrayList<X509CertificateExtension> extensionList = new ArrayList<>(10);
extensionList.add(new SubjectKeyIdentifierExtension(false, new ASN1OctetString(subjectKeyIdentifier)));
if (extensions != null) {
for (final X509CertificateExtension e : extensions) {
if (!e.getOID().equals(SubjectKeyIdentifierExtension.SUBJECT_KEY_IDENTIFIER_OID)) {
extensionList.add(e);
}
}
}
final X509CertificateExtension[] allExtensions = new X509CertificateExtension[extensionList.size()];
extensionList.toArray(allExtensions);
// Encode the tbsCertificate sequence for the certificate and use it to
// generate the certificate's signature.
final BigInteger serialNumber = generateSerialNumber();
final ASN1BitString encodedSignature = generateSignature(signatureAlgorithm, keyPair.getPrivate(), serialNumber, subjectDN, notBefore, notAfter, subjectDN, publicKeyAlgorithmOID, publicKeyAlgorithmParameters, encodedPublicKey, allExtensions);
// Construct and return the signed certificate and the private key.
return new X509Certificate(X509CertificateVersion.V3, serialNumber, signatureAlgorithm.getOID(), null, encodedSignature, subjectDN, notBefore, notAfter, subjectDN, publicKeyAlgorithmOID, publicKeyAlgorithmParameters, encodedPublicKey, decodedPublicKey, null, null, allExtensions);
}
use of com.unboundid.util.OID in project ldapsdk by pingidentity.
the class ManageCertificates method doCheckCertificateUsability.
/**
* Performs the necessary processing for the check-certificate-usability
* subcommand.
*
* @return A result code that indicates whether the processing completed
* successfully.
*/
@NotNull()
private ResultCode doCheckCertificateUsability() {
// Get the values of a number of configured arguments.
final StringArgument aliasArgument = subCommandParser.getStringArgument("alias");
final String alias = aliasArgument.getValue();
final String keystoreType;
final File keystorePath = getKeystorePath();
try {
keystoreType = inferKeystoreType(keystorePath);
} catch (final LDAPException le) {
Debug.debugException(le);
wrapErr(0, WRAP_COLUMN, le.getMessage());
return le.getResultCode();
}
final char[] keystorePassword;
try {
keystorePassword = getKeystorePassword(keystorePath);
} catch (final LDAPException le) {
Debug.debugException(le);
wrapErr(0, WRAP_COLUMN, le.getMessage());
return le.getResultCode();
}
// Get the keystore.
final KeyStore keystore;
try {
keystore = getKeystore(keystoreType, keystorePath, keystorePassword);
} catch (final LDAPException le) {
Debug.debugException(le);
wrapErr(0, WRAP_COLUMN, le.getMessage());
return le.getResultCode();
}
// Make sure that the specified entry exists in the keystore and is
// associated with a certificate chain and a private key.
final X509Certificate[] chain;
if (hasKeyAlias(keystore, alias)) {
try {
final Certificate[] genericChain = keystore.getCertificateChain(alias);
Validator.ensureTrue((genericChain.length > 0), "ERROR: The keystore has a private key entry for alias '" + alias + "', but the associated certificate chain is empty.");
chain = new X509Certificate[genericChain.length];
for (int i = 0; i < genericChain.length; i++) {
chain[i] = new X509Certificate(genericChain[i].getEncoded());
}
out();
wrapOut(0, WRAP_COLUMN, INFO_MANAGE_CERTS_CHECK_USABILITY_GOT_CHAIN.get(alias));
for (final X509Certificate c : chain) {
out();
printCertificate(c, "", false);
}
} catch (final Exception e) {
Debug.debugException(e);
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_CHECK_USABILITY_CANNOT_GET_CHAIN.get(alias));
e.printStackTrace(getErr());
return ResultCode.LOCAL_ERROR;
}
} else if (hasCertificateAlias(keystore, alias)) {
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_CHECK_USABILITY_NO_PRIVATE_KEY.get(alias));
return ResultCode.PARAM_ERROR;
} else {
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_CHECK_USABILITY_NO_SUCH_ALIAS.get(alias));
return ResultCode.PARAM_ERROR;
}
// Check to see if the certificate is self-signed. If so, then that's a
// warning. If not, then make sure that the chain is complete and that each
// subsequent certificate is the issuer of the previous.
int numWarnings = 0;
int numErrors = 0;
if (chain[0].isSelfSigned()) {
err();
wrapErr(0, WRAP_COLUMN, WARN_MANAGE_CERTS_CHECK_USABILITY_CERT_IS_SELF_SIGNED.get(chain[0].getSubjectDN()));
numWarnings++;
} else if ((chain.length == 1) || (!chain[chain.length - 1].isSelfSigned())) {
err();
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_CHECK_USABILITY_END_OF_CHAIN_NOT_SELF_SIGNED.get(alias));
numErrors++;
} else {
boolean chainError = false;
final StringBuilder nonMatchReason = new StringBuilder();
for (int i = 1; i < chain.length; i++) {
if (!chain[i].isIssuerFor(chain[i - 1], nonMatchReason)) {
err();
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_CHECK_USABILITY_CHAIN_ISSUER_MISMATCH.get(alias, chain[i].getSubjectDN(), chain[i - 1].getSubjectDN(), nonMatchReason));
numErrors++;
chainError = true;
}
}
if (!chainError) {
out();
wrapOut(0, WRAP_COLUMN, INFO_MANAGE_CERTS_CHECK_USABILITY_CHAIN_COMPLETE.get());
}
}
// display a notice, but we won't consider it a warning in and of itself.
if ((chain.length > 1) && chain[chain.length - 1].isSelfSigned()) {
final X509Certificate caCert = chain[chain.length - 1];
try {
final String jvmDefaultTrustStoreType = inferKeystoreType(JVM_DEFAULT_CACERTS_FILE);
final KeyStore jvmDefaultTrustStore = CryptoHelper.getKeyStore(jvmDefaultTrustStoreType);
try (FileInputStream inputStream = new FileInputStream(JVM_DEFAULT_CACERTS_FILE)) {
jvmDefaultTrustStore.load(inputStream, null);
}
boolean found = false;
final Enumeration<String> aliases = jvmDefaultTrustStore.aliases();
while (aliases.hasMoreElements()) {
final String jvmDefaultCertAlias = aliases.nextElement();
if (jvmDefaultTrustStore.isCertificateEntry(jvmDefaultCertAlias)) {
final Certificate c = jvmDefaultTrustStore.getCertificate(jvmDefaultCertAlias);
final X509Certificate xc = new X509Certificate(c.getEncoded());
if ((caCert.getSubjectDN().equals(xc.getSubjectDN())) && Arrays.equals(caCert.getSignatureValue().getBits(), xc.getSignatureValue().getBits())) {
found = true;
break;
}
}
}
if (found) {
out();
wrapOut(0, WRAP_COLUMN, INFO_MANAGE_CERTS_CHECK_USABILITY_CA_TRUSTED_OK.get(caCert.getSubjectDN()));
} else {
out();
wrapOut(0, WRAP_COLUMN, INFO_MANAGE_CERTS_CHECK_USABILITY_CA_NOT_IN_JVM_DEFAULT_TS.get(caCert.getSubjectDN()));
}
} catch (final Exception e) {
Debug.debugException(e);
err();
wrapErr(0, WRAP_COLUMN, WARN_MANAGE_CERTS_CHECK_USABILITY_CHECK_CA_IN_TS_ERROR.get(caCert.getSubjectDN(), StaticUtils.getExceptionMessage(e)));
numWarnings++;
}
}
// error.
for (int i = 0; i < chain.length; i++) {
final X509Certificate c = chain[i];
try {
if (c.isSelfSigned()) {
c.verifySignature(null);
} else if ((i + 1) < chain.length) {
c.verifySignature(chain[i + 1]);
}
out();
wrapOut(0, WRAP_COLUMN, INFO_MANAGE_CERTS_CHECK_USABILITY_CERT_SIGNATURE_VALID.get(c.getSubjectDN()));
} catch (final CertException ce) {
err();
wrapErr(0, WRAP_COLUMN, ce.getMessage());
numErrors++;
}
}
// Check the validity window for each certificate in the chain. If any of
// them is expired or not yet valid, then that's an error. If any of them
// will expire in the near future, then that's a warning.
final long currentTime = System.currentTimeMillis();
final long thirtyDaysFromNow = currentTime + (30L * 24L * 60L * 60L * 1000L);
for (int i = 0; i < chain.length; i++) {
final X509Certificate c = chain[i];
if (c.getNotBeforeTime() > currentTime) {
err();
if (i == 0) {
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_CHECK_USABILITY_END_CERT_NOT_YET_VALID.get(c.getSubjectDN(), formatDateAndTime(c.getNotBeforeDate())));
} else {
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_CHECK_USABILITY_ISSUER_CERT_NOT_YET_VALID.get(c.getSubjectDN(), formatDateAndTime(c.getNotBeforeDate())));
}
numErrors++;
} else if (c.getNotAfterTime() < currentTime) {
err();
if (i == 0) {
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_CHECK_USABILITY_END_CERT_EXPIRED.get(c.getSubjectDN(), formatDateAndTime(c.getNotAfterDate())));
} else {
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_CHECK_USABILITY_ISSUER_CERT_EXPIRED.get(c.getSubjectDN(), formatDateAndTime(c.getNotAfterDate())));
}
numErrors++;
} else if (c.getNotAfterTime() < thirtyDaysFromNow) {
err();
if (i == 0) {
wrapErr(0, WRAP_COLUMN, WARN_MANAGE_CERTS_CHECK_USABILITY_END_CERT_NEAR_EXPIRATION.get(c.getSubjectDN(), formatDateAndTime(c.getNotAfterDate())));
} else {
wrapErr(0, WRAP_COLUMN, WARN_MANAGE_CERTS_CHECK_USABILITY_ISSUER_CERT_NEAR_EXPIRATION.get(c.getSubjectDN(), formatDateAndTime(c.getNotAfterDate())));
}
numWarnings++;
} else {
if (i == 0) {
out();
wrapOut(0, WRAP_COLUMN, INFO_MANAGE_CERTS_CHECK_USABILITY_END_CERT_VALIDITY_OK.get(c.getSubjectDN(), formatDateAndTime(c.getNotAfterDate())));
} else {
out();
wrapOut(0, WRAP_COLUMN, INFO_MANAGE_CERTS_CHECK_USABILITY_ISSUER_CERT_VALIDITY_OK.get(c.getSubjectDN(), formatDateAndTime(c.getNotAfterDate())));
}
}
}
// determine whether the certificate has been revoked.
for (int i = 0; i < chain.length; i++) {
boolean basicConstraintsFound = false;
boolean extendedKeyUsageFound = false;
boolean keyUsageFound = false;
final X509Certificate c = chain[i];
for (final X509CertificateExtension extension : c.getExtensions()) {
if (extension instanceof ExtendedKeyUsageExtension) {
extendedKeyUsageFound = true;
if (i == 0) {
final ExtendedKeyUsageExtension e = (ExtendedKeyUsageExtension) extension;
if (!e.getKeyPurposeIDs().contains(ExtendedKeyUsageID.TLS_SERVER_AUTHENTICATION.getOID())) {
err();
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_CHECK_USABILITY_END_CERT_BAD_EKU.get(c.getSubjectDN()));
numErrors++;
} else {
out();
wrapOut(0, WRAP_COLUMN, INFO_MANAGE_CERTS_CHECK_USABILITY_END_CERT_GOOD_EKU.get(c.getSubjectDN()));
}
}
} else if (extension instanceof BasicConstraintsExtension) {
basicConstraintsFound = true;
if (i > 0) {
final BasicConstraintsExtension e = (BasicConstraintsExtension) extension;
if (!e.isCA()) {
err();
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_CHECK_USABILITY_ISSUER_CERT_BAD_BC_CA.get(c.getSubjectDN()));
numErrors++;
} else if ((e.getPathLengthConstraint() != null) && ((i - 1) > e.getPathLengthConstraint())) {
err();
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_CHECK_USABILITY_ISSUER_CERT_BAD_BC_LENGTH.get(c.getSubjectDN(), e.getPathLengthConstraint(), chain[0].getSubjectDN(), (i - 1)));
numErrors++;
} else {
out();
wrapOut(0, WRAP_COLUMN, INFO_MANAGE_CERTS_CHECK_USABILITY_ISSUER_CERT_GOOD_BC.get(c.getSubjectDN()));
}
}
} else if (extension instanceof KeyUsageExtension) {
keyUsageFound = true;
if (i > 0) {
final KeyUsageExtension e = (KeyUsageExtension) extension;
if (!e.isKeyCertSignBitSet()) {
err();
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_CHECK_USABILITY_ISSUER_NO_CERT_SIGN_KU.get(c.getSubjectDN()));
numErrors++;
} else {
out();
wrapOut(0, WRAP_COLUMN, INFO_MANAGE_CERTS_CHECK_USABILITY_ISSUER_GOOD_KU.get(c.getSubjectDN()));
}
}
}
}
if (i == 0) {
if (!extendedKeyUsageFound) {
err();
wrapErr(0, WRAP_COLUMN, WARN_MANAGE_CERTS_CHECK_USABILITY_NO_EKU.get(c.getSubjectDN()));
numWarnings++;
}
} else {
if (!basicConstraintsFound) {
err();
wrapErr(0, WRAP_COLUMN, WARN_MANAGE_CERTS_CHECK_USABILITY_NO_BC.get(c.getSubjectDN()));
numWarnings++;
}
if (!keyUsageFound) {
err();
wrapErr(0, WRAP_COLUMN, WARN_MANAGE_CERTS_CHECK_USABILITY_NO_KU.get(c.getSubjectDN()));
numWarnings++;
}
}
}
// Make sure that none of the certificates has a signature algorithm that
// uses MD5 or SHA-1. If it uses an unrecognized signature algorithm, then
// that's a warning.
boolean isIssuer = false;
final BooleanArgument ignoreSHA1WarningArg = subCommandParser.getBooleanArgument("allow-sha-1-signature-for-issuer-certificates");
final boolean ignoreSHA1SignatureWarningForIssuerCertificates = ((ignoreSHA1WarningArg != null) && ignoreSHA1WarningArg.isPresent());
for (final X509Certificate c : chain) {
final OID signatureAlgorithmOID = c.getSignatureAlgorithmOID();
final SignatureAlgorithmIdentifier id = SignatureAlgorithmIdentifier.forOID(signatureAlgorithmOID);
if (id == null) {
err();
wrapErr(0, WRAP_COLUMN, WARN_MANAGE_CERTS_CHECK_USABILITY_UNKNOWN_SIG_ALG.get(c.getSubjectDN(), signatureAlgorithmOID));
numWarnings++;
} else {
switch(id) {
case MD2_WITH_RSA:
case MD5_WITH_RSA:
err();
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_CHECK_USABILITY_WEAK_SIG_ALG.get(c.getSubjectDN(), id.getUserFriendlyName()));
numErrors++;
break;
case SHA_1_WITH_RSA:
case SHA_1_WITH_DSA:
case SHA_1_WITH_ECDSA:
if (isIssuer && ignoreSHA1SignatureWarningForIssuerCertificates) {
err();
wrapErr(0, WRAP_COLUMN, WARN_MANAGE_CERTS_CHECK_USABILITY_ISSUER_WITH_SHA1_SIG.get(c.getSubjectDN(), id.getUserFriendlyName(), ignoreSHA1WarningArg.getIdentifierString()));
} else {
err();
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_CHECK_USABILITY_WEAK_SIG_ALG.get(c.getSubjectDN(), id.getUserFriendlyName()));
numErrors++;
}
break;
case SHA_224_WITH_RSA:
case SHA_224_WITH_DSA:
case SHA_224_WITH_ECDSA:
case SHA_256_WITH_RSA:
case SHA_256_WITH_DSA:
case SHA_256_WITH_ECDSA:
case SHA_384_WITH_RSA:
case SHA_384_WITH_ECDSA:
case SHA_512_WITH_RSA:
case SHA_512_WITH_ECDSA:
out();
wrapOut(0, WRAP_COLUMN, INFO_MANAGE_CERTS_CHECK_USABILITY_SIG_ALG_OK.get(c.getSubjectDN(), id.getUserFriendlyName()));
break;
}
}
isIssuer = true;
}
// has a public modulus size smaller than 2048 bits.
for (final X509Certificate c : chain) {
if ((c.getDecodedPublicKey() != null) && (c.getDecodedPublicKey() instanceof RSAPublicKey)) {
final RSAPublicKey rsaPublicKey = (RSAPublicKey) c.getDecodedPublicKey();
final byte[] modulusBytes = rsaPublicKey.getModulus().toByteArray();
int modulusSizeBits = modulusBytes.length * 8;
if (((modulusBytes.length % 2) != 0) && (modulusBytes[0] == 0x00)) {
modulusSizeBits -= 8;
}
if (modulusSizeBits < 2048) {
err();
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_CHECK_USABILITY_WEAK_RSA_MODULUS.get(c.getSubjectDN(), modulusSizeBits));
numErrors++;
} else {
out();
wrapOut(0, WRAP_COLUMN, INFO_MANAGE_CERTS_CHECK_USABILITY_RSA_MODULUS_OK.get(c.getSubjectDN(), modulusSizeBits));
}
}
}
switch(numErrors) {
case 0:
break;
case 1:
err();
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_CHECK_USABILITY_ONE_ERROR.get());
return ResultCode.PARAM_ERROR;
default:
err();
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_CHECK_USABILITY_MULTIPLE_ERRORS.get(numErrors));
return ResultCode.PARAM_ERROR;
}
switch(numWarnings) {
case 0:
out();
wrapOut(0, WRAP_COLUMN, INFO_MANAGE_CERTS_CHECK_USABILITY_NO_ERRORS_OR_WARNINGS.get());
return ResultCode.SUCCESS;
case 1:
err();
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_CHECK_USABILITY_ONE_WARNING.get());
return ResultCode.PARAM_ERROR;
default:
err();
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_CHECK_USABILITY_MULTIPLE_WARNINGS.get(numWarnings));
return ResultCode.PARAM_ERROR;
}
}
use of com.unboundid.util.OID in project ldapsdk by pingidentity.
the class PKCS10CertificateSigningRequest method toString.
/**
* Appends a string representation of the decoded X.509 certificate to the
* provided buffer.
*
* @param buffer The buffer to which the information should be appended.
*/
public void toString(@NotNull final StringBuilder buffer) {
buffer.append("PKCS10CertificateSigningRequest(version='");
buffer.append(version.getName());
buffer.append("', subjectDN='");
buffer.append(subjectDN);
buffer.append("', publicKeyAlgorithmOID='");
buffer.append(publicKeyAlgorithmOID.toString());
buffer.append('\'');
if (publicKeyAlgorithmName != null) {
buffer.append(", publicKeyAlgorithmName='");
buffer.append(publicKeyAlgorithmName);
buffer.append('\'');
}
buffer.append(", subjectPublicKey=");
if (decodedPublicKey == null) {
buffer.append('\'');
try {
StaticUtils.toHex(encodedPublicKey.getBytes(), ":", buffer);
} catch (final Exception e) {
Debug.debugException(e);
encodedPublicKey.toString(buffer);
}
buffer.append('\'');
} else {
decodedPublicKey.toString(buffer);
if (decodedPublicKey instanceof EllipticCurvePublicKey) {
try {
final OID namedCurveOID = publicKeyAlgorithmParameters.decodeAsObjectIdentifier().getOID();
buffer.append(", ellipticCurvePublicKeyParameters=namedCurve='");
buffer.append(NamedCurve.getNameOrOID(namedCurveOID));
buffer.append('\'');
} catch (final Exception e) {
Debug.debugException(e);
}
}
}
buffer.append(", signatureAlgorithmOID='");
buffer.append(signatureAlgorithmOID.toString());
buffer.append('\'');
if (signatureAlgorithmName != null) {
buffer.append(", signatureAlgorithmName='");
buffer.append(signatureAlgorithmName);
buffer.append('\'');
}
if (!extensions.isEmpty()) {
buffer.append(", extensions={");
final Iterator<X509CertificateExtension> iterator = extensions.iterator();
while (iterator.hasNext()) {
iterator.next().toString(buffer);
if (iterator.hasNext()) {
buffer.append(", ");
}
}
buffer.append('}');
}
buffer.append(", signatureValue='");
try {
StaticUtils.toHex(signatureValue.getBytes(), ":", buffer);
} catch (final Exception e) {
Debug.debugException(e);
buffer.append(signatureValue.toString());
}
buffer.append("')");
}
use of com.unboundid.util.OID in project ldapsdk by pingidentity.
the class PKCS10CertificateSigningRequest method encode.
/**
* Encodes this PKCS #10 certificate signing request to an ASN.1 element.
*
* @return The encoded PKCS #10 certificate signing request.
*
* @throws CertException If a problem is encountered while trying to encode
* the PKCS #10 certificate signing request.
*/
@NotNull()
private ASN1Element encode() throws CertException {
try {
final ArrayList<ASN1Element> requestInfoElements = new ArrayList<>(4);
requestInfoElements.add(new ASN1Integer(version.getIntValue()));
requestInfoElements.add(X509Certificate.encodeName(subjectDN));
if (publicKeyAlgorithmParameters == null) {
requestInfoElements.add(new ASN1Sequence(new ASN1Sequence(new ASN1ObjectIdentifier(publicKeyAlgorithmOID)), encodedPublicKey));
} else {
requestInfoElements.add(new ASN1Sequence(new ASN1Sequence(new ASN1ObjectIdentifier(publicKeyAlgorithmOID), publicKeyAlgorithmParameters), encodedPublicKey));
}
final ArrayList<ASN1Element> attrElements = new ArrayList<>(requestAttributes.size());
for (final ObjectPair<OID, ASN1Set> attr : requestAttributes) {
attrElements.add(new ASN1Sequence(new ASN1ObjectIdentifier(attr.getFirst()), attr.getSecond()));
}
requestInfoElements.add(new ASN1Set(TYPE_ATTRIBUTES, attrElements));
final ArrayList<ASN1Element> certificationRequestElements = new ArrayList<>(3);
certificationRequestElements.add(new ASN1Sequence(requestInfoElements));
if (signatureAlgorithmParameters == null) {
certificationRequestElements.add(new ASN1Sequence(new ASN1ObjectIdentifier(signatureAlgorithmOID)));
} else {
certificationRequestElements.add(new ASN1Sequence(new ASN1ObjectIdentifier(signatureAlgorithmOID), signatureAlgorithmParameters));
}
certificationRequestElements.add(signatureValue);
return new ASN1Sequence(certificationRequestElements);
} catch (final Exception e) {
Debug.debugException(e);
throw new CertException(ERR_CSR_ENCODE_ERROR.get(toString(), StaticUtils.getExceptionMessage(e)), e);
}
}
Aggregations