Example 46 with X509Extension
use of org.bouncycastle.asn1.x509.X509Extension in project Falcon-File-Transfer-Optimizer by arif-zaman.
the class BouncyCastleCertProcessingFactory method createProxyCertificate.
/**
* Creates a proxy certificate. A set of X.509 extensions can be optionally included in the new proxy
* certificate. <BR>
* If a GSI-2 proxy is created, the serial number of the proxy certificate will be the same as of the
* issuing certificate. Also, none of the extensions in the issuing certificate will be copied into the
* proxy certificate.<BR>
* If a GSI-3 or GSI 4 proxy is created, the serial number of the proxy certificate will be picked
* randomly. If the issuing certificate contains a <i>KeyUsage</i> extension, the extension will be copied
* into the proxy certificate with <i>keyCertSign</i> and <i>nonRepudiation</i> bits turned off. No other
* extensions are currently copied.
*
* The methods defaults to creating GSI 4 proxy
*
* @param issuerCert_
* the issuing certificate
* @param issuerKey
* private key matching the public key of issuer certificate. The new proxy certificate will be
* signed by that key.
* @param publicKey
* the public key of the new certificate
* @param lifetime
* lifetime of the new certificate in seconds. If 0 (or less then) the new certificate will
* have the same lifetime as the issuing certificate.
* @param certType
* can be one of {@link org.globus.gsi.GSIConstants.CertificateType#GSI_2_LIMITED_PROXY GSIConstants.CertificateType.GSI_2_LIMITED_PROXY},
* {@link org.globus.gsi.GSIConstants.CertificateType#GSI_2_PROXY GSIConstants.CertificateType.GSI_2_PROXY},
* {@link org.globus.gsi.GSIConstants.CertificateType#GSI_3_IMPERSONATION_PROXY GSIConstants.CertificateType.GSI_3_IMPERSONATION_PROXY},
* {@link org.globus.gsi.GSIConstants.CertificateType#GSI_3_LIMITED_PROXY GSIConstants.CertificateType.GSI_3_LIMITED_PROXY},
* {@link org.globus.gsi.GSIConstants.CertificateType#GSI_3_INDEPENDENT_PROXY GSIConstants.CertificateType.GSI_3_INDEPENDENT_PROXY},
* {@link org.globus.gsi.GSIConstants.CertificateType#GSI_3_RESTRICTED_PROXY GSIConstants.CertificateType.GSI_3_RESTRICTED_PROXY}.
* {@link org.globus.gsi.GSIConstants.CertificateType#GSI_4_IMPERSONATION_PROXY GSIConstants.CertificateType.GSI_4_IMPERSONATION_PROXY},
* {@link org.globus.gsi.GSIConstants.CertificateType#GSI_4_LIMITED_PROXY GSIConstants.CertificateType.GSI_3_LIMITED_PROXY},
* {@link org.globus.gsi.GSIConstants.CertificateType#GSI_4_INDEPENDENT_PROXY GSIConstants.CertificateType.GSI_4_INDEPENDENT_PROXY},
* {@link org.globus.gsi.GSIConstants.CertificateType#GSI_4_RESTRICTED_PROXY GSIConstants.CertificateType.GSI_4_RESTRICTED_PROXY}.
*
* @param extSet
* a set of X.509 extensions to be included in the new proxy certificate. Can be null. If
* delegation mode is {@link org.globus.gsi.GSIConstants.CertificateType#GSI_3_RESTRICTED_PROXY
* GSIConstants.CertificateType.GSI_3_RESTRICTED_PROXY} or {@link org.globus.gsi.GSIConstants.CertificateType#GSI_4_RESTRICTED_PROXY
* GSIConstants.CertificateType.GSI_4_RESTRICTED_PROXY} then
* {@link org.globus.gsi.proxy.ext.ProxyCertInfoExtension ProxyCertInfoExtension} must be
* present in the extension set.
*
* @param cnValue
* the value of the CN component of the subject of the new certificate. If null, the defaults
* will be used depending on the proxy certificate type created.
* @return <code>X509Certificate</code> the new proxy certificate.
* @exception GeneralSecurityException
* if a security error occurs.
*/
public X509Certificate createProxyCertificate(X509Certificate issuerCert_, PrivateKey issuerKey, PublicKey publicKey, int lifetime, GSIConstants.CertificateType certType, X509ExtensionSet extSet, String cnValue) throws GeneralSecurityException {
X509Certificate issuerCert = issuerCert_;
if (!(issuerCert_ instanceof X509CertificateObject)) {
issuerCert = CertificateLoadUtil.loadCertificate(new ByteArrayInputStream(issuerCert.getEncoded()));
}
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
org.globus.gsi.X509Extension x509Ext = null;
BigInteger serialNum = null;
String delegDN = null;
if (ProxyCertificateUtil.isGsi3Proxy(certType) || ProxyCertificateUtil.isGsi4Proxy(certType)) {
Random rand = new Random();
delegDN = String.valueOf(Math.abs(rand.nextInt()));
serialNum = new BigInteger(20, rand);
if (extSet != null) {
x509Ext = extSet.get(ProxyCertInfo.OID.getId());
if (x509Ext == null) {
x509Ext = extSet.get(ProxyCertInfo.OLD_OID.getId());
}
}
if (x509Ext == null) {
// create ProxyCertInfo extension
ProxyPolicy policy = null;
if (ProxyCertificateUtil.isLimitedProxy(certType)) {
policy = new ProxyPolicy(ProxyPolicy.LIMITED);
} else if (ProxyCertificateUtil.isIndependentProxy(certType)) {
policy = new ProxyPolicy(ProxyPolicy.INDEPENDENT);
} else if (ProxyCertificateUtil.isImpersonationProxy(certType)) {
// since limited has already been checked, this should work.
policy = new ProxyPolicy(ProxyPolicy.IMPERSONATION);
} else if ((certType == GSIConstants.CertificateType.GSI_3_RESTRICTED_PROXY) || (certType == GSIConstants.CertificateType.GSI_4_RESTRICTED_PROXY)) {
String err = i18n.getMessage("restrictProxy");
throw new IllegalArgumentException(err);
} else {
String err = i18n.getMessage("invalidProxyType");
throw new IllegalArgumentException(err);
}
ProxyCertInfo proxyCertInfo = new ProxyCertInfo(policy);
x509Ext = new ProxyCertInfoExtension(proxyCertInfo);
if (ProxyCertificateUtil.isGsi4Proxy(certType)) {
// RFC compliant OID
x509Ext = new ProxyCertInfoExtension(proxyCertInfo);
} else {
// old OID
x509Ext = new GlobusProxyCertInfoExtension(proxyCertInfo);
}
}
try {
// add ProxyCertInfo extension to the new cert
certGen.addExtension(x509Ext.getOid(), x509Ext.isCritical(), x509Ext.getValue());
// handle KeyUsage in issuer cert
TBSCertificateStructure crt = BouncyCastleUtil.getTBSCertificateStructure(issuerCert);
X509Extensions extensions = crt.getExtensions();
if (extensions != null) {
X509Extension ext;
// handle key usage ext
ext = extensions.getExtension(X509Extension.keyUsage);
if (ext != null) {
// TBD: handle this better
if (extSet != null && (extSet.get(X509Extension.keyUsage.getId()) != null)) {
String err = i18n.getMessage("keyUsageExt");
throw new GeneralSecurityException(err);
}
DERBitString bits = (DERBitString) BouncyCastleUtil.getExtensionObject(ext);
byte[] bytes = bits.getBytes();
// make sure they are disabled
if ((bytes[0] & KeyUsage.nonRepudiation) != 0) {
bytes[0] ^= KeyUsage.nonRepudiation;
}
if ((bytes[0] & KeyUsage.keyCertSign) != 0) {
bytes[0] ^= KeyUsage.keyCertSign;
}
bits = new DERBitString(bytes, bits.getPadBits());
certGen.addExtension(X509Extension.keyUsage, ext.isCritical(), bits);
}
}
} catch (IOException e) {
// but this should not happen
throw new GeneralSecurityException(e.getMessage());
}
} else if (certType == GSIConstants.CertificateType.GSI_2_LIMITED_PROXY) {
delegDN = "limited proxy";
serialNum = issuerCert.getSerialNumber();
} else if (certType == GSIConstants.CertificateType.GSI_2_PROXY) {
delegDN = "proxy";
serialNum = issuerCert.getSerialNumber();
} else {
String err = i18n.getMessage("unsupportedProxy", certType);
throw new IllegalArgumentException(err);
}
// add specified extensions
if (extSet != null) {
Iterator iter = extSet.oidSet().iterator();
while (iter.hasNext()) {
String oid = (String) iter.next();
// skip ProxyCertInfo extension
if (oid.equals(ProxyCertInfo.OID.getId()) || oid.equals(ProxyCertInfo.OLD_OID.getId())) {
continue;
}
x509Ext = (org.globus.gsi.X509Extension) extSet.get(oid);
certGen.addExtension(x509Ext.getOid(), x509Ext.isCritical(), x509Ext.getValue());
}
}
X509Name issuerDN;
if (issuerCert.getSubjectDN() instanceof X509Name) {
issuerDN = (X509Name) issuerCert.getSubjectDN();
} else {
issuerDN = new X509Name(true, issuerCert.getSubjectX500Principal().getName());
}
X509NameHelper issuer = new X509NameHelper(issuerDN);
X509NameHelper subject = new X509NameHelper(issuerDN);
subject.add(BCStyle.CN, (cnValue == null) ? delegDN : cnValue);
certGen.setSubjectDN(subject.getAsName());
certGen.setIssuerDN(issuer.getAsName());
certGen.setSerialNumber(serialNum);
certGen.setPublicKey(publicKey);
certGen.setSignatureAlgorithm(issuerCert.getSigAlgName());
GregorianCalendar date = new GregorianCalendar(TimeZone.getTimeZone("GMT"));
/* Allow for a five minute clock skew here. */
date.add(Calendar.MINUTE, -5);
certGen.setNotBefore(date.getTime());
/* If hours = 0, then cert lifetime is set to user cert */
if (lifetime <= 0) {
certGen.setNotAfter(issuerCert.getNotAfter());
} else {
date.add(Calendar.MINUTE, 5);
date.add(Calendar.SECOND, lifetime);
certGen.setNotAfter(date.getTime());
}
return certGen.generateX509Certificate(issuerKey);
}
Also used :
X509Extension(org.bouncycastle.asn1.x509.X509Extension)
X509Extensions(org.bouncycastle.asn1.x509.X509Extensions)
DERBitString(org.bouncycastle.asn1.DERBitString)
GlobusProxyCertInfoExtension(org.globus.gsi.proxy.ext.GlobusProxyCertInfoExtension)
ProxyCertInfoExtension(org.globus.gsi.proxy.ext.ProxyCertInfoExtension)
X509V3CertificateGenerator(org.bouncycastle.x509.X509V3CertificateGenerator)
X509Name(org.bouncycastle.asn1.x509.X509Name)
X509CertificateObject(org.bouncycastle.jce.provider.X509CertificateObject)
Random(java.util.Random)
Iterator(java.util.Iterator)
TBSCertificateStructure(org.bouncycastle.asn1.x509.TBSCertificateStructure)
GlobusProxyCertInfoExtension(org.globus.gsi.proxy.ext.GlobusProxyCertInfoExtension)
GeneralSecurityException(java.security.GeneralSecurityException)
GregorianCalendar(java.util.GregorianCalendar)
ProxyPolicy(org.globus.gsi.proxy.ext.ProxyPolicy)
DERBitString(org.bouncycastle.asn1.DERBitString)
IOException(java.io.IOException)
X509Certificate(java.security.cert.X509Certificate)
ProxyCertInfo(org.globus.gsi.proxy.ext.ProxyCertInfo)
ByteArrayInputStream(java.io.ByteArrayInputStream)
BigInteger(java.math.BigInteger)
Example 47 with X509Extension
use of org.bouncycastle.asn1.x509.X509Extension in project Falcon-File-Transfer-Optimizer by arif-zaman.
the class BouncyCastleCertProcessingFactory method createProxyCertificate.
/**
* Creates a proxy certificate. A set of X.509 extensions can be optionally included in the new proxy
* certificate. <BR>
* If a GSI-2 proxy is created, the serial number of the proxy certificate will be the same as of the
* issuing certificate. Also, none of the extensions in the issuing certificate will be copied into the
* proxy certificate.<BR>
* If a GSI-3 or GSI 4 proxy is created, the serial number of the proxy certificate will be picked
* randomly. If the issuing certificate contains a <i>KeyUsage</i> extension, the extension will be copied
* into the proxy certificate with <i>keyCertSign</i> and <i>nonRepudiation</i> bits turned off. No other
* extensions are currently copied.
*
* The methods defaults to creating GSI 4 proxy
*
* @param issuerCert_
* the issuing certificate
* @param issuerKey
* private key matching the public key of issuer certificate. The new proxy certificate will be
* signed by that key.
* @param publicKey
* the public key of the new certificate
* @param lifetime
* lifetime of the new certificate in seconds. If 0 (or less then) the new certificate will
* have the same lifetime as the issuing certificate.
* @param proxyType
* can be one of {@link GSIConstants#DELEGATION_LIMITED GSIConstants.DELEGATION_LIMITED},
* {@link GSIConstants#DELEGATION_FULL GSIConstants.DELEGATION_FULL},
*
* {@link GSIConstants#GSI_2_LIMITED_PROXY GSIConstants.GSI_2_LIMITED_PROXY},
* {@link GSIConstants#GSI_2_PROXY GSIConstants.GSI_2_PROXY},
* {@link GSIConstants#GSI_3_IMPERSONATION_PROXY GSIConstants.GSI_3_IMPERSONATION_PROXY},
* {@link GSIConstants#GSI_3_LIMITED_PROXY GSIConstants.GSI_3_LIMITED_PROXY},
* {@link GSIConstants#GSI_3_INDEPENDENT_PROXY GSIConstants.GSI_3_INDEPENDENT_PROXY},
* {@link GSIConstants#GSI_3_RESTRICTED_PROXY GSIConstants.GSI_3_RESTRICTED_PROXY}.
* {@link GSIConstants#GSI_4_IMPERSONATION_PROXY GSIConstants.GSI_4_IMPERSONATION_PROXY},
* {@link GSIConstants#GSI_4_LIMITED_PROXY GSIConstants.GSI_3_LIMITED_PROXY},
* {@link GSIConstants#GSI_4_INDEPENDENT_PROXY GSIConstants.GSI_4_INDEPENDENT_PROXY},
* {@link GSIConstants#GSI_4_RESTRICTED_PROXY GSIConstants.GSI_4_RESTRICTED_PROXY}.
*
* If {@link GSIConstants#DELEGATION_LIMITED GSIConstants.DELEGATION_LIMITED} and if
* {@link VersionUtil#isGsi2Enabled() CertUtil.isGsi2Enabled} returns true then a GSI-2 limited
* proxy will be created. Else if {@link VersionUtil#isGsi3Enabled() CertUtil.isGsi3Enabled}
* returns true then a GSI-3 limited proxy will be created. If not, a GSI-4 limited proxy will
* be created.
*
* If {@link GSIConstants#DELEGATION_FULL GSIConstants.DELEGATION_FULL} and if
* {@link VersionUtil#isGsi2Enabled() CertUtil.isGsi2Enabled} returns true then a GSI-2 full proxy
* will be created. Else if {@link VersionUtil#isGsi3Enabled() CertUtil.isGsi3Enabled} returns
* true then a GSI-3 full proxy will be created. If not, a GSI-4 full proxy will be created.
*
* @param extSet
* a set of X.509 extensions to be included in the new proxy certificate. Can be null. If
* delegation mode is {@link GSIConstants#GSI_3_RESTRICTED_PROXY
* GSIConstants.GSI_3_RESTRICTED_PROXY} or {@link GSIConstants#GSI_4_RESTRICTED_PROXY
* GSIConstants.GSI_4_RESTRICTED_PROXY} then
* {@link org.globus.gsi.proxy.ext.ProxyCertInfoExtension ProxyCertInfoExtension} must be
* present in the extension set.
*
* @param cnValue
* the value of the CN component of the subject of the new certificate. If null, the defaults
* will be used depending on the proxy certificate type created.
* @return <code>X509Certificate</code> the new proxy certificate.
* @exception GeneralSecurityException
* if a security error occurs.
* @deprecated
*/
public X509Certificate createProxyCertificate(X509Certificate issuerCert_, PrivateKey issuerKey, PublicKey publicKey, int lifetime, int proxyType, X509ExtensionSet extSet, String cnValue) throws GeneralSecurityException {
X509Certificate issuerCert = issuerCert_;
if (!(issuerCert_ instanceof X509CertificateObject)) {
issuerCert = CertificateLoadUtil.loadCertificate(new ByteArrayInputStream(issuerCert.getEncoded()));
}
if (proxyType == GSIConstants.DELEGATION_LIMITED) {
GSIConstants.CertificateType type = BouncyCastleUtil.getCertificateType(issuerCert);
if (ProxyCertificateUtil.isGsi4Proxy(type)) {
proxyType = GSIConstants.GSI_4_LIMITED_PROXY;
} else if (ProxyCertificateUtil.isGsi3Proxy(type)) {
proxyType = GSIConstants.GSI_3_LIMITED_PROXY;
} else if (ProxyCertificateUtil.isGsi2Proxy(type)) {
proxyType = GSIConstants.GSI_2_LIMITED_PROXY;
} else {
// default to RFC compliant proxy
if (VersionUtil.isGsi2Enabled()) {
proxyType = GSIConstants.GSI_2_LIMITED_PROXY;
} else {
proxyType = VersionUtil.isGsi3Enabled() ? GSIConstants.GSI_3_LIMITED_PROXY : GSIConstants.GSI_4_LIMITED_PROXY;
}
}
} else if (proxyType == GSIConstants.DELEGATION_FULL) {
GSIConstants.CertificateType type = BouncyCastleUtil.getCertificateType(issuerCert);
if (ProxyCertificateUtil.isGsi4Proxy(type)) {
proxyType = GSIConstants.GSI_4_IMPERSONATION_PROXY;
} else if (ProxyCertificateUtil.isGsi3Proxy(type)) {
proxyType = GSIConstants.GSI_3_IMPERSONATION_PROXY;
} else if (ProxyCertificateUtil.isGsi2Proxy(type)) {
proxyType = GSIConstants.GSI_2_PROXY;
} else {
// Default to RFC complaint proxy
if (VersionUtil.isGsi2Enabled()) {
proxyType = GSIConstants.GSI_2_PROXY;
} else {
proxyType = (VersionUtil.isGsi3Enabled()) ? GSIConstants.GSI_3_IMPERSONATION_PROXY : GSIConstants.GSI_4_IMPERSONATION_PROXY;
}
}
}
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
org.globus.gsi.X509Extension x509Ext = null;
BigInteger serialNum = null;
String delegDN = null;
if (ProxyCertificateUtil.isGsi3Proxy(GSIConstants.CertificateType.get(proxyType)) || ProxyCertificateUtil.isGsi4Proxy(GSIConstants.CertificateType.get(proxyType))) {
Random rand = new Random();
delegDN = String.valueOf(Math.abs(rand.nextInt()));
serialNum = new BigInteger(20, rand);
if (extSet != null) {
x509Ext = extSet.get(ProxyCertInfo.OID.getId());
if (x509Ext == null) {
x509Ext = extSet.get(ProxyCertInfo.OLD_OID.getId());
}
}
if (x509Ext == null) {
// create ProxyCertInfo extension
ProxyPolicy policy = null;
if (ProxyCertificateUtil.isLimitedProxy(GSIConstants.CertificateType.get(proxyType))) {
policy = new ProxyPolicy(ProxyPolicy.LIMITED);
} else if (ProxyCertificateUtil.isIndependentProxy(GSIConstants.CertificateType.get(proxyType))) {
policy = new ProxyPolicy(ProxyPolicy.INDEPENDENT);
} else if (ProxyCertificateUtil.isImpersonationProxy(GSIConstants.CertificateType.get(proxyType))) {
// since limited has already been checked, this should work.
policy = new ProxyPolicy(ProxyPolicy.IMPERSONATION);
} else if ((proxyType == GSIConstants.GSI_3_RESTRICTED_PROXY) || (proxyType == GSIConstants.GSI_4_RESTRICTED_PROXY)) {
String err = i18n.getMessage("restrictProxy");
throw new IllegalArgumentException(err);
} else {
String err = i18n.getMessage("invalidProxyType");
throw new IllegalArgumentException(err);
}
ProxyCertInfo proxyCertInfo = new ProxyCertInfo(policy);
x509Ext = new ProxyCertInfoExtension(proxyCertInfo);
if (ProxyCertificateUtil.isGsi4Proxy(GSIConstants.CertificateType.get(proxyType))) {
// RFC compliant OID
x509Ext = new ProxyCertInfoExtension(proxyCertInfo);
} else {
// old OID
x509Ext = new GlobusProxyCertInfoExtension(proxyCertInfo);
}
}
try {
// add ProxyCertInfo extension to the new cert
certGen.addExtension(x509Ext.getOid(), x509Ext.isCritical(), x509Ext.getValue());
// handle KeyUsage in issuer cert
TBSCertificateStructure crt = BouncyCastleUtil.getTBSCertificateStructure(issuerCert);
X509Extensions extensions = crt.getExtensions();
if (extensions != null) {
X509Extension ext;
// handle key usage ext
ext = extensions.getExtension(X509Extension.keyUsage);
if (ext != null) {
// TBD: handle this better
if (extSet != null && (extSet.get(X509Extension.keyUsage.getId()) != null)) {
String err = i18n.getMessage("keyUsageExt");
throw new GeneralSecurityException(err);
}
DERBitString bits = (DERBitString) BouncyCastleUtil.getExtensionObject(ext);
byte[] bytes = bits.getBytes();
// make sure they are disabled
if ((bytes[0] & KeyUsage.nonRepudiation) != 0) {
bytes[0] ^= KeyUsage.nonRepudiation;
}
if ((bytes[0] & KeyUsage.keyCertSign) != 0) {
bytes[0] ^= KeyUsage.keyCertSign;
}
bits = new DERBitString(bytes, bits.getPadBits());
certGen.addExtension(X509Extension.keyUsage, ext.isCritical(), bits);
}
}
} catch (IOException e) {
// but this should not happen
throw new GeneralSecurityException(e.getMessage());
}
} else if (proxyType == GSIConstants.GSI_2_LIMITED_PROXY) {
delegDN = "limited proxy";
serialNum = issuerCert.getSerialNumber();
} else if (proxyType == GSIConstants.GSI_2_PROXY) {
delegDN = "proxy";
serialNum = issuerCert.getSerialNumber();
} else {
String err = i18n.getMessage("unsupportedProxy", Integer.toString(proxyType));
throw new IllegalArgumentException(err);
}
// add specified extensions
if (extSet != null) {
Iterator iter = extSet.oidSet().iterator();
while (iter.hasNext()) {
String oid = (String) iter.next();
// skip ProxyCertInfo extension
if (oid.equals(ProxyCertInfo.OID.getId()) || oid.equals(ProxyCertInfo.OLD_OID.getId())) {
continue;
}
x509Ext = (org.globus.gsi.X509Extension) extSet.get(oid);
certGen.addExtension(x509Ext.getOid(), x509Ext.isCritical(), x509Ext.getValue());
}
}
X509Name issuerDN;
if (issuerCert.getSubjectDN() instanceof X509Name) {
issuerDN = (X509Name) issuerCert.getSubjectDN();
} else {
issuerDN = new X509Name(true, issuerCert.getSubjectX500Principal().getName());
}
X509NameHelper issuer = new X509NameHelper(issuerDN);
X509NameHelper subject = new X509NameHelper(issuerDN);
subject.add(BCStyle.CN, (cnValue == null) ? delegDN : cnValue);
certGen.setSubjectDN(subject.getAsName());
certGen.setIssuerDN(issuer.getAsName());
certGen.setSerialNumber(serialNum);
certGen.setPublicKey(publicKey);
certGen.setSignatureAlgorithm(issuerCert.getSigAlgName());
GregorianCalendar date = new GregorianCalendar(TimeZone.getTimeZone("GMT"));
/* Allow for a five minute clock skew here. */
date.add(Calendar.MINUTE, -5);
certGen.setNotBefore(date.getTime());
/* If hours = 0, then cert lifetime is set to user cert */
if (lifetime <= 0) {
certGen.setNotAfter(issuerCert.getNotAfter());
} else {
date.add(Calendar.MINUTE, 5);
date.add(Calendar.SECOND, lifetime);
certGen.setNotAfter(date.getTime());
}
return certGen.generateX509Certificate(issuerKey);
}
Also used :
X509Extension(org.bouncycastle.asn1.x509.X509Extension)
X509Extensions(org.bouncycastle.asn1.x509.X509Extensions)
DERBitString(org.bouncycastle.asn1.DERBitString)
GlobusProxyCertInfoExtension(org.globus.gsi.proxy.ext.GlobusProxyCertInfoExtension)
ProxyCertInfoExtension(org.globus.gsi.proxy.ext.ProxyCertInfoExtension)
GSIConstants(org.globus.gsi.GSIConstants)
X509V3CertificateGenerator(org.bouncycastle.x509.X509V3CertificateGenerator)
X509Name(org.bouncycastle.asn1.x509.X509Name)
X509CertificateObject(org.bouncycastle.jce.provider.X509CertificateObject)
Random(java.util.Random)
Iterator(java.util.Iterator)
TBSCertificateStructure(org.bouncycastle.asn1.x509.TBSCertificateStructure)
GlobusProxyCertInfoExtension(org.globus.gsi.proxy.ext.GlobusProxyCertInfoExtension)
GeneralSecurityException(java.security.GeneralSecurityException)
GregorianCalendar(java.util.GregorianCalendar)
ProxyPolicy(org.globus.gsi.proxy.ext.ProxyPolicy)
DERBitString(org.bouncycastle.asn1.DERBitString)
IOException(java.io.IOException)
X509Certificate(java.security.cert.X509Certificate)
ProxyCertInfo(org.globus.gsi.proxy.ext.ProxyCertInfo)
ByteArrayInputStream(java.io.ByteArrayInputStream)
BigInteger(java.math.BigInteger)
Example 48 with X509Extension
use of org.bouncycastle.asn1.x509.X509Extension in project Falcon-File-Transfer-Optimizer by arif-zaman.
the class BouncyCastleUtil method getCertificateType.
/**
* Returns certificate type of the given TBS certificate. <BR>
* The certificate type is {@link GSIConstants#CA GSIConstants.CA}
* <B>only</B> if the certificate contains a
* BasicConstraints extension and it is marked as CA.<BR>
* A certificate is a GSI-2 proxy when the subject DN of the certificate
* ends with <I>"CN=proxy"</I> (certificate type {@link
* GSIConstants#GSI_2_PROXY GSIConstants.GSI_2_PROXY}) or
* <I>"CN=limited proxy"</I> (certificate type {@link
* GSIConstants#GSI_2_LIMITED_PROXY GSIConstants.LIMITED_PROXY}) component
* and the issuer DN of the certificate matches the subject DN without
* the last proxy <I>CN</I> component.<BR>
* A certificate is a GSI-3 proxy when the subject DN of the certificate
* ends with a <I>CN</I> component, the issuer DN of the certificate
* matches the subject DN without the last <I>CN</I> component and
* the certificate contains {@link ProxyCertInfo ProxyCertInfo} critical
* extension.
* The certificate type is {@link GSIConstants#GSI_3_IMPERSONATION_PROXY
* GSIConstants.GSI_3_IMPERSONATION_PROXY} if the policy language of
* the {@link ProxyCertInfo ProxyCertInfo} extension is set to
* {@link ProxyPolicy#IMPERSONATION ProxyPolicy.IMPERSONATION} OID.
* The certificate type is {@link GSIConstants#GSI_3_LIMITED_PROXY
* GSIConstants.GSI_3_LIMITED_PROXY} if the policy language of
* the {@link ProxyCertInfo ProxyCertInfo} extension is set to
* {@link ProxyPolicy#LIMITED ProxyPolicy.LIMITED} OID.
* The certificate type is {@link GSIConstants#GSI_3_INDEPENDENT_PROXY
* GSIConstants.GSI_3_INDEPENDENT_PROXY} if the policy language of
* the {@link ProxyCertInfo ProxyCertInfo} extension is set to
* {@link ProxyPolicy#INDEPENDENT ProxyPolicy.INDEPENDENT} OID.
* The certificate type is {@link GSIConstants#GSI_3_RESTRICTED_PROXY
* GSIConstants.GSI_3_RESTRICTED_PROXY} if the policy language of
* the {@link ProxyCertInfo ProxyCertInfo} extension is set to
* any other OID then the above.<BR>
* The certificate type is {@link GSIConstants#EEC GSIConstants.EEC}
* if the certificate is not a CA certificate or a GSI-2 or GSI-3 proxy.
*
* @param crt the TBS certificate to get the type of.
* @return the certificate type. The certificate type is determined
* by rules described above.
* @exception IOException if something goes wrong.
* @exception CertificateException for proxy certificates, if
* the issuer DN of the certificate does not match
* the subject DN of the certificate without the
* last <I>CN</I> component. Also, for GSI-3 proxies
* when the <code>ProxyCertInfo</code> extension is
* not marked as critical.
*/
private static GSIConstants.CertificateType getCertificateType(TBSCertificateStructure crt) throws CertificateException, IOException {
X509Extensions extensions = crt.getExtensions();
X509Extension ext = null;
if (extensions != null) {
ext = extensions.getExtension(X509Extension.basicConstraints);
if (ext != null) {
BasicConstraints basicExt = BasicConstraints.getInstance(ext);
if (basicExt.isCA()) {
return GSIConstants.CertificateType.CA;
}
}
}
GSIConstants.CertificateType type = GSIConstants.CertificateType.EEC;
// does not handle multiple AVAs
X500Name subject = crt.getSubject();
ASN1Set entry = X509NameHelper.getLastNameEntry(subject);
ASN1Sequence ava = (ASN1Sequence) entry.getObjectAt(0);
if (BCStyle.CN.equals(ava.getObjectAt(0))) {
String value = ((ASN1String) ava.getObjectAt(1)).getString();
if (value.equalsIgnoreCase("proxy")) {
type = GSIConstants.CertificateType.GSI_2_PROXY;
} else if (value.equalsIgnoreCase("limited proxy")) {
type = GSIConstants.CertificateType.GSI_2_LIMITED_PROXY;
} else if (extensions != null) {
boolean gsi4 = true;
// GSI_4
ext = extensions.getExtension(ProxyCertInfo.OID);
if (ext == null) {
// GSI_3
ext = extensions.getExtension(ProxyCertInfo.OLD_OID);
gsi4 = false;
}
if (ext != null) {
if (ext.isCritical()) {
ProxyCertInfo proxyCertExt = getProxyCertInfo(ext);
ProxyPolicy proxyPolicy = proxyCertExt.getProxyPolicy();
ASN1ObjectIdentifier oid = proxyPolicy.getPolicyLanguage();
if (ProxyPolicy.IMPERSONATION.equals(oid)) {
if (gsi4) {
type = GSIConstants.CertificateType.GSI_4_IMPERSONATION_PROXY;
} else {
type = GSIConstants.CertificateType.GSI_3_IMPERSONATION_PROXY;
}
} else if (ProxyPolicy.INDEPENDENT.equals(oid)) {
if (gsi4) {
type = GSIConstants.CertificateType.GSI_4_INDEPENDENT_PROXY;
} else {
type = GSIConstants.CertificateType.GSI_3_INDEPENDENT_PROXY;
}
} else if (ProxyPolicy.LIMITED.equals(oid)) {
if (gsi4) {
type = GSIConstants.CertificateType.GSI_4_LIMITED_PROXY;
} else {
type = GSIConstants.CertificateType.GSI_3_LIMITED_PROXY;
}
} else {
if (gsi4) {
type = GSIConstants.CertificateType.GSI_4_RESTRICTED_PROXY;
} else {
type = GSIConstants.CertificateType.GSI_3_RESTRICTED_PROXY;
}
}
} else {
String err = i18n.getMessage("proxyCertCritical");
throw new CertificateException(err);
}
}
}
if (ProxyCertificateUtil.isProxy(type)) {
X509NameHelper iss = new X509NameHelper(crt.getIssuer());
iss.add((ASN1Set) BouncyCastleUtil.duplicate(entry));
X509Name issuer = iss.getAsName();
if (!issuer.equals(X509Name.getInstance(subject))) {
String err = i18n.getMessage("proxyDNErr");
throw new CertificateException(err);
}
}
}
return type;
}
Also used :
X509Extension(org.bouncycastle.asn1.x509.X509Extension)
ProxyPolicy(org.globus.gsi.proxy.ext.ProxyPolicy)
X509Extensions(org.bouncycastle.asn1.x509.X509Extensions)
CertificateException(java.security.cert.CertificateException)
X500Name(org.bouncycastle.asn1.x500.X500Name)
DERBitString(org.bouncycastle.asn1.DERBitString)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
ASN1String(org.bouncycastle.asn1.ASN1String)
ProxyCertInfo(org.globus.gsi.proxy.ext.ProxyCertInfo)
GSIConstants(org.globus.gsi.GSIConstants)
ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence)
X509Name(org.bouncycastle.asn1.x509.X509Name)
ASN1Set(org.bouncycastle.asn1.ASN1Set)
ASN1String(org.bouncycastle.asn1.ASN1String)
BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Example 49 with X509Extension
use of org.bouncycastle.asn1.x509.X509Extension in project Falcon-File-Transfer-Optimizer by arif-zaman.
the class BouncyCastleUtil method getKeyUsage.
/**
* Gets a boolean array representing bits of the KeyUsage extension.
*
* @see java.security.cert.X509Certificate#getKeyUsage
* @exception IOException if failed to extract the KeyUsage extension value.
*/
public static boolean[] getKeyUsage(X509Extension ext) throws IOException {
DERBitString bits = (DERBitString) getExtensionObject(ext);
// copied from X509CertificateObject
byte[] bytes = bits.getBytes();
int length = (bytes.length * 8) - bits.getPadBits();
boolean[] keyUsage = new boolean[(length < 9) ? 9 : length];
for (int i = 0; i != length; i++) {
keyUsage[i] = (bytes[i / 8] & (0x80 >>> (i % 8))) != 0;
}
return keyUsage;
}
Also used :
DERBitString(org.bouncycastle.asn1.DERBitString)
Example 50 with X509Extension
use of org.bouncycastle.asn1.x509.X509Extension in project Falcon-File-Transfer-Optimizer by arif-zaman.
the class CertificateUtil method getKeyUsage.
public static EnumSet<KeyUsage> getKeyUsage(TBSCertificateStructure crt) throws IOException {
X509Extensions extensions = crt.getExtensions();
if (extensions == null) {
return null;
}
X509Extension extension = extensions.getExtension(X509Extension.keyUsage);
return (extension != null) ? getKeyUsage(extension) : null;
}
Also used :
X509Extension(org.bouncycastle.asn1.x509.X509Extension)
X509Extensions(org.bouncycastle.asn1.x509.X509Extensions)
Aggregations
X509Extension (org.bouncycastle.asn1.x509.X509Extension)21
Enumeration (java.util.Enumeration)20
X509Extensions (org.bouncycastle.asn1.x509.X509Extensions)20
IOException (java.io.IOException)18
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)12
HashSet (java.util.HashSet)11
X509Extension (org.gudy.bouncycastle.asn1.x509.X509Extension)11
X509Certificate (java.security.cert.X509Certificate)10
ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)10
DERObjectIdentifier (org.bouncycastle.asn1.DERObjectIdentifier)10
ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)8
DERBitString (org.bouncycastle.asn1.DERBitString)8
DERSequence (org.bouncycastle.asn1.DERSequence)8
BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)8
CertificateException (java.security.cert.CertificateException)7
ASN1EncodableVector (org.bouncycastle.asn1.ASN1EncodableVector)7
GeneralSecurityException (java.security.GeneralSecurityException)6
ArrayList (java.util.ArrayList)6
Set (java.util.Set)6
ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)6
