Examples with X509Extension org.bouncycastle.asn1.x509.X509Extension used on opensource projects

Example 51 with X509Extension

use of org.bouncycastle.asn1.x509.X509Extension in project Falcon-File-Transfer-Optimizer by arif-zaman.

the class CertificateUtil method getKeyUsage.

/**
 * Gets a boolean array representing bits of the KeyUsage extension.
 *
 * @throws IOException if failed to extract the KeyUsage extension value.
 * @see java.security.cert.X509Certificate#getKeyUsage
 */
public static EnumSet<KeyUsage> getKeyUsage(X509Extension ext) throws IOException {
    DERBitString bits = (DERBitString) getExtensionObject(ext);
    EnumSet<KeyUsage> keyUsage = EnumSet.noneOf(KeyUsage.class);
    for (KeyUsage bit : KeyUsage.values()) {
        if (bit.isSet(bits)) {
            keyUsage.add(bit);
        }
    }
    return keyUsage;
}

Example 52 with X509Extension

use of org.bouncycastle.asn1.x509.X509Extension in project Falcon-File-Transfer-Optimizer by arif-zaman.

the class CertificateUtil method getCAPathConstraint.

/**
 * Return CA Path constraint
 *
 * @param crt
 * @return the CA path constraint
 * @throws IOException
 */
public static int getCAPathConstraint(TBSCertificateStructure crt) throws IOException {
    X509Extensions extensions = crt.getExtensions();
    if (extensions == null) {
        return -1;
    }
    X509Extension proxyExtension = extensions.getExtension(X509Extension.basicConstraints);
    if (proxyExtension != null) {
        BasicConstraints basicExt = getBasicConstraints(proxyExtension);
        if (basicExt.isCA()) {
            BigInteger pathLen = basicExt.getPathLenConstraint();
            return (pathLen == null) ? Integer.MAX_VALUE : pathLen.intValue();
        } else {
            return -1;
        }
    }
    return -1;
}

Example 53 with X509Extension

use of org.bouncycastle.asn1.x509.X509Extension in project Falcon-File-Transfer-Optimizer by arif-zaman.

the class CertificateUtil method processCN.

private static GSIConstants.CertificateType processCN(X509Extensions extensions, GSIConstants.CertificateType type, ASN1Sequence ava) throws CertificateException {
    X509Extension ext;
    String value = ((ASN1String) ava.getObjectAt(1)).getString();
    GSIConstants.CertificateType certType = type;
    if (value.equalsIgnoreCase("proxy")) {
        certType = GSIConstants.CertificateType.GSI_2_PROXY;
    } else if (value.equalsIgnoreCase("limited proxy")) {
        certType = GSIConstants.CertificateType.GSI_2_LIMITED_PROXY;
    } else if (extensions != null) {
        boolean gsi4 = true;
        // GSI_4
        ext = extensions.getExtension(ProxyCertInfo.OID);
        if (ext == null) {
            // GSI_3
            ext = extensions.getExtension(ProxyCertInfo.OLD_OID);
            gsi4 = false;
        }
        if (ext != null) {
            if (ext.isCritical()) {
                certType = processCriticalExtension(ext, gsi4);
            } else {
                String err = "proxyCertCritical";
                throw new CertificateException(err);
            }
        }
    }
    return certType;
}

Example 54 with X509Extension

use of org.bouncycastle.asn1.x509.X509Extension in project Falcon-File-Transfer-Optimizer by arif-zaman.

the class CertificateUtil method getCertificateType.

/**
 * Returns certificate type of the given TBS certificate. <BR> The
 * certificate type is {@link org.globus.gsi.GSIConstants.CertificateType#CA
 * GSIConstants.CertificateType.CA} <B>only</B> if the certificate contains a
 * BasicConstraints extension and it is marked as CA.<BR> A certificate is a
 * GSI-2 proxy when the subject DN of the certificate ends with
 * <I>"CN=proxy"</I> (certificate type {@link org.globus.gsi.GSIConstants.CertificateType#GSI_2_PROXY
 * GSIConstants.CertificateType.GSI_2_PROXY}) or <I>"CN=limited proxy"</I> (certificate
 * type {@link org.globus.gsi.GSIConstants.CertificateType#GSI_2_LIMITED_PROXY
 * GSIConstants.CertificateType.LIMITED_PROXY}) component and the issuer DN of the
 * certificate matches the subject DN without the last proxy <I>CN</I>
 * component.<BR> A certificate is a GSI-3 proxy when the subject DN of the
 * certificate ends with a <I>CN</I> component, the issuer DN of the
 * certificate matches the subject DN without the last <I>CN</I> component
 * and the certificate contains {@link ProxyCertInfo
 * ProxyCertInfo} critical extension. The certificate type is {@link
 * org.globus.gsi.GSIConstants.CertificateType#GSI_3_IMPERSONATION_PROXY
 * GSIConstants.CertificateType.GSI_3_IMPERSONATION_PROXY} if the policy language of the
 * {@link ProxyCertInfo ProxyCertInfo}
 * extension is set to {@link ProxyPolicy#IMPERSONATION
 * ProxyPolicy.IMPERSONATION} OID. The certificate type is {@link
 * org.globus.gsi.GSIConstants.CertificateType#GSI_3_LIMITED_PROXY
 * GSIConstants.CertificateType.GSI_3_LIMITED_PROXY} if the policy language of the {@link
 * ProxyCertInfo ProxyCertInfo} extension
 * is set to {@link ProxyPolicy#LIMITED
 * ProxyPolicy.LIMITED} OID. The certificate type is {@link
 * org.globus.gsi.GSIConstants.CertificateType#GSI_3_INDEPENDENT_PROXY
 * GSIConstants.CertificateType.GSI_3_INDEPENDENT_PROXY} if the policy language of the
 * {@link ProxyCertInfo ProxyCertInfo}
 * extension is set to {@link ProxyPolicy#INDEPENDENT
 * ProxyPolicy.INDEPENDENT} OID. The certificate type is {@link
 * org.globus.gsi.GSIConstants.CertificateType#GSI_3_RESTRICTED_PROXY
 * GSIConstants.CertificateType.GSI_3_RESTRICTED_PROXY} if the policy language of the
 * {@link ProxyCertInfo ProxyCertInfo}
 * extension is set to any other OID then the above.<BR> The certificate
 * type is {@link org.globus.gsi.GSIConstants.CertificateType#EEC
 * GSIConstants.CertificateType.EEC} if the certificate is not a CA certificate or a
 * GSI-2 or GSI-3 proxy.
 *
 * @param crt the TBS certificate to get the type of.
 * @return the certificate type. The certificate type is determined by rules
 *         described above.
 * @throws java.io.IOException if something goes wrong.
 * @throws java.security.cert.CertificateException
 *                             for proxy certificates, if the issuer DN of
 *                             the certificate does not match the subject DN
 *                             of the certificate without the last <I>CN</I>
 *                             component. Also, for GSI-3 proxies when the
 *                             <code>ProxyCertInfo</code> extension is not
 *                             marked as critical.
 */
public static GSIConstants.CertificateType getCertificateType(TBSCertificateStructure crt) throws CertificateException, IOException {
    X509Extensions extensions = crt.getExtensions();
    X509Extension ext = null;
    if (extensions != null) {
        ext = extensions.getExtension(X509Extension.basicConstraints);
        if (ext != null) {
            BasicConstraints basicExt = getBasicConstraints(ext);
            if (basicExt.isCA()) {
                return GSIConstants.CertificateType.CA;
            }
        }
    }
    GSIConstants.CertificateType type = GSIConstants.CertificateType.EEC;
    // does not handle multiple AVAs
    X500Name subject = crt.getSubject();
    ASN1Set entry = X509NameHelper.getLastNameEntry(subject);
    ASN1Sequence ava = (ASN1Sequence) entry.getObjectAt(0);
    if (BCStyle.CN.equals(ava.getObjectAt(0))) {
        type = processCN(extensions, type, ava);
    }
    return type;
}

Example 55 with X509Extension

use of org.bouncycastle.asn1.x509.X509Extension in project Falcon-File-Transfer-Optimizer by arif-zaman.

the class BouncyCastleCertProcessingFactoryTest method testResctrictedWithOtherExt.

public void testResctrictedWithOtherExt() throws Exception {
    ClassLoader loader = BouncyCastleCertProcessingFactoryTest.class.getClassLoader();
    GlobusCredential cred = new GlobusCredential(loader.getResource(proxyFile).getPath());
    X509Extension ext = null;
    String oid = "1.2.3.4";
    String expectedValue = "foo";
    boolean critical = false;
    String policyOid = "1.2.3.4.5.6.7.8.9";
    String policyValue = "bar";
    X509ExtensionSet extSet = new X509ExtensionSet();
    ext = new X509Extension(oid, critical, expectedValue.getBytes());
    extSet.add(ext);
    DERSequence seq = new DERSequence(new ASN1Encodable[] { DERBoolean.FALSE, new ASN1Integer(15) });
    BasicConstraints constraints = BasicConstraints.getInstance(seq);
    ext = new BouncyCastleX509Extension(org.bouncycastle.asn1.x509.X509Extension.basicConstraints.getId(), false, constraints);
    extSet.add(ext);
    ProxyPolicy policy = new ProxyPolicy(policyOid, policyValue.getBytes());
    ext = new ProxyCertInfoExtension(new ProxyCertInfo(policy));
    extSet.add(ext);
    GlobusCredential newCred = factory.createCredential(cred.getCertificateChain(), cred.getPrivateKey(), 512, 60 * 60, GSIConstants.GSI_3_RESTRICTED_PROXY, extSet, null);
    X509Certificate newCert = newCred.getCertificateChain()[0];
    verifyExtension(newCert, oid, expectedValue, critical);
    byte[] realValue = BouncyCastleUtil.getExtensionValue(newCert, ProxyCertInfo.OID.getId());
    assertTrue(realValue != null && realValue.length > 0);
    ProxyCertInfo proxyCertInfo = ProxyCertInfo.getInstance(realValue);
    assertTrue(proxyCertInfo != null);
    assertTrue(proxyCertInfo.getProxyPolicy() != null);
    assertEquals(policyOid, proxyCertInfo.getProxyPolicy().getPolicyLanguage().getId());
    assertEquals(policyValue, proxyCertInfo.getProxyPolicy().getPolicyAsString());
}