Example 96 with Extension
use of org.gluu.oxtrust.model.scim2.Extension in project pdfbox by apache.
the class OcspHelper method generateOCSPRequest.
/**
* Generates an OCSP request and generates the <code>CertificateID</code>.
*
* @return OCSP request, ready to fetch data
* @throws OCSPException
* @throws IOException
*/
private OCSPReq generateOCSPRequest() throws OCSPException, IOException {
Security.addProvider(new BouncyCastleProvider());
// Generate the ID for the certificate we are looking for
CertificateID certId;
try {
certId = new CertificateID(new SHA1DigestCalculator(), new JcaX509CertificateHolder(issuerCertificate), certificateToCheck.getSerialNumber());
} catch (CertificateEncodingException e) {
throw new IOException("Error creating CertificateID with the Certificate encoding", e);
}
OCSPReqBuilder builder = new OCSPReqBuilder();
Extension responseExtension = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_response, true, new DLSequence(OCSPObjectIdentifiers.id_pkix_ocsp_basic).getEncoded());
Random rand = new Random();
byte[] nonce = new byte[16];
rand.nextBytes(nonce);
encodedNonce = new DEROctetString(new DEROctetString(nonce));
Extension nonceExtension = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, true, encodedNonce);
builder.setRequestExtensions(new Extensions(new Extension[] { responseExtension, nonceExtension }));
builder.addRequest(certId);
System.out.println("Nonce: " + Hex.getString(nonceExtension.getExtnValue().getEncoded()));
return builder.build();
}
Also used :
CertificateID(org.bouncycastle.cert.ocsp.CertificateID)
CertificateEncodingException(java.security.cert.CertificateEncodingException)
IOException(java.io.IOException)
Extensions(org.bouncycastle.asn1.x509.Extensions)
JcaX509CertificateHolder(org.bouncycastle.cert.jcajce.JcaX509CertificateHolder)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
Extension(org.bouncycastle.asn1.x509.Extension)
DLSequence(org.bouncycastle.asn1.DLSequence)
Random(java.util.Random)
OCSPReqBuilder(org.bouncycastle.cert.ocsp.OCSPReqBuilder)
BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider)
Example 97 with Extension
use of org.gluu.oxtrust.model.scim2.Extension in project ddf by codice.
the class CertificateCommandTest method validateSans.
private static void validateSans(KeyStoreFile ksf, String alias, boolean withAdditionalSans) throws Exception {
final KeyStore.Entry ke = ksf.getEntry(alias);
assertThat(ke, instanceOf(KeyStore.PrivateKeyEntry.class));
final KeyStore.PrivateKeyEntry pke = (KeyStore.PrivateKeyEntry) ke;
final Certificate c = pke.getCertificate();
final X509CertificateHolder holder = new X509CertificateHolder(c.getEncoded());
final Extension csn = holder.getExtension(Extension.subjectAlternativeName);
assertThat(csn.getParsedValue().toASN1Primitive().getEncoded(ASN1Encoding.DER), equalTo(expectedSanGeneralName(alias, withAdditionalSans)));
}
Also used :
Extension(org.bouncycastle.asn1.x509.Extension)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
KeyStore(java.security.KeyStore)
Certificate(java.security.cert.Certificate)
Example 98 with Extension
use of org.gluu.oxtrust.model.scim2.Extension in project jmeter by apache.
the class SMIMEAssertion method getEmailFromCert.
/**
* Extract email addresses from a certificate
*
* @param cert the X509 certificate holder
* @return a List of all email addresses found
*/
private static List<String> getEmailFromCert(X509CertificateHolder cert) {
List<String> res = new ArrayList<>();
X500Name subject = cert.getSubject();
for (RDN emails : subject.getRDNs(BCStyle.EmailAddress)) {
for (AttributeTypeAndValue emailAttr : emails.getTypesAndValues()) {
if (log.isDebugEnabled()) {
log.debug("Add email from RDN: {}", IETFUtils.valueToString(emailAttr.getValue()));
}
res.add(IETFUtils.valueToString(emailAttr.getValue()));
}
}
Extension subjectAlternativeNames = cert.getExtension(Extension.subjectAlternativeName);
if (subjectAlternativeNames != null) {
for (GeneralName name : GeneralNames.getInstance(subjectAlternativeNames.getParsedValue()).getNames()) {
if (name.getTagNo() == GeneralName.rfc822Name) {
String email = IETFUtils.valueToString(name.getName());
log.debug("Add email from subjectAlternativeName: {}", email);
res.add(email);
}
}
}
return res;
}
Also used :
Extension(org.bouncycastle.asn1.x509.Extension)
ArrayList(java.util.ArrayList)
X500Name(org.bouncycastle.asn1.x500.X500Name)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
RDN(org.bouncycastle.asn1.x500.RDN)
AttributeTypeAndValue(org.bouncycastle.asn1.x500.AttributeTypeAndValue)
Example 99 with Extension
use of org.gluu.oxtrust.model.scim2.Extension in project netty by netty.
the class OcspRequestBuilder method build.
/**
* ATTENTION: The returned {@link OCSPReq} is not re-usable/cacheable! It contains a one-time nonce
* and CA's will (should) reject subsequent requests that have the same nonce value.
*/
public OCSPReq build() throws OCSPException, IOException, CertificateEncodingException {
SecureRandom generator = checkNotNull(this.generator, "generator");
DigestCalculator calculator = checkNotNull(this.calculator, "calculator");
X509Certificate certificate = checkNotNull(this.certificate, "certificate");
X509Certificate issuer = checkNotNull(this.issuer, "issuer");
BigInteger serial = certificate.getSerialNumber();
CertificateID certId = new CertificateID(calculator, new X509CertificateHolder(issuer.getEncoded()), serial);
OCSPReqBuilder builder = new OCSPReqBuilder();
builder.addRequest(certId);
byte[] nonce = new byte[8];
generator.nextBytes(nonce);
Extension[] extensions = new Extension[] { new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, new DEROctetString(nonce)) };
builder.setRequestExtensions(new Extensions(extensions));
return builder.build();
}
Also used :
Extension(org.bouncycastle.asn1.x509.Extension)
CertificateID(org.bouncycastle.cert.ocsp.CertificateID)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
DigestCalculator(org.bouncycastle.operator.DigestCalculator)
SecureRandom(java.security.SecureRandom)
BigInteger(java.math.BigInteger)
Extensions(org.bouncycastle.asn1.x509.Extensions)
OCSPReqBuilder(org.bouncycastle.cert.ocsp.OCSPReqBuilder)
X509Certificate(java.security.cert.X509Certificate)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
Example 100 with Extension
use of org.gluu.oxtrust.model.scim2.Extension in project open-ecard by ecsec.
the class HostnameVerifier method validInt.
private void validInt(Certificate cert, String hostOrIp) throws CertificateVerificationException {
boolean success = false;
boolean isIPAddr = IPAddress.isValid(hostOrIp);
// check hostname against Subject CN
if (!isIPAddr) {
RDN[] cn = cert.getSubject().getRDNs(BCStrictStyle.CN);
if (cn.length != 0) {
// CN is always a string type
String hostNameReference = cn[0].getFirst().getValue().toString();
success = checkWildcardName(hostOrIp, hostNameReference);
} else {
LOG.debug("No CN entry in certificate's Subject.");
}
} else {
LOG.debug("Given name is an IP Address. Validation relies solely on the SubjectAlternativeName.");
}
// stop execution when we found a valid name
if (success) {
return;
}
// evaluate subject alternative name
Extensions ext = cert.getTBSCertificate().getExtensions();
Extension subjAltExt = ext.getExtension(Extension.subjectAlternativeName);
if (subjAltExt != null) {
// extract SubjAltName from Extensions
GeneralNames gns = GeneralNames.fromExtensions(ext, Extension.subjectAlternativeName);
GeneralName[] names = gns.getNames();
for (GeneralName name : names) {
ASN1Encodable reference = name.getName();
switch(name.getTagNo()) {
case GeneralName.dNSName:
if (!isIPAddr) {
success = checkWildcardName(hostOrIp, reference.toString());
}
break;
case GeneralName.iPAddress:
if (isIPAddr) {
// TODO: validate IP Addresses
LOG.warn("IP Address verification not supported.");
}
break;
default:
LOG.debug("Unsupported GeneralName ({}) tag in SubjectAlternativeName.", name.getTagNo());
}
// stop execution when we found a valid name
if (success) {
return;
}
}
}
// evaluate result
if (!success) {
String errorMsg = "Hostname in certificate differs from actually requested host.";
throw new CertificateVerificationException(errorMsg);
}
}
Also used :
Extension(org.openecard.bouncycastle.asn1.x509.Extension)
GeneralNames(org.openecard.bouncycastle.asn1.x509.GeneralNames)
CertificateVerificationException(org.openecard.crypto.tls.CertificateVerificationException)
GeneralName(org.openecard.bouncycastle.asn1.x509.GeneralName)
ASN1Encodable(org.openecard.bouncycastle.asn1.ASN1Encodable)
Extensions(org.openecard.bouncycastle.asn1.x509.Extensions)
RDN(org.openecard.bouncycastle.asn1.x500.RDN)
Aggregations
Extension (org.bouncycastle.asn1.x509.Extension)83
Extensions (org.bouncycastle.asn1.x509.Extensions)42
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)35
IOException (java.io.IOException)30
DEROctetString (org.bouncycastle.asn1.DEROctetString)30
Enumeration (java.util.Enumeration)22
Date (java.util.Date)21
HashSet (java.util.HashSet)21
X500Name (org.bouncycastle.asn1.x500.X500Name)19
BigInteger (java.math.BigInteger)18
ArrayList (java.util.ArrayList)15
X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)14
Extension (org.gluu.oxtrust.model.scim2.extensions.Extension)14
X509Certificate (java.security.cert.X509Certificate)13
Set (java.util.Set)13
ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)13
LinkedList (java.util.LinkedList)12
DERIA5String (org.bouncycastle.asn1.DERIA5String)12
DERSequence (org.bouncycastle.asn1.DERSequence)11
CertificateEncodingException (java.security.cert.CertificateEncodingException)10
