Example 6 with InvalidBERException
use of org.mozilla.jss.asn1.InvalidBERException in project candlepin by candlepin.
the class JSSPKIUtility method buildStandardExtensions.
/**
* Add boilerplate extensions required by RFC 5280.
* @param certExtensions a CertificateExtensions object to modify
* @param keyPair the KeyPair used to create the SubjectKeyIdentifier extension
* @param providedExtensions A Set of provided extensions that will be added to the certificate. In some
* cases (hosted mode) access to the information in those extensions is required for creating the
* subjectKeyIdentifier.
*
* @return a modified version of the certExtensions parameter
* @throws IOException in case of encoding failures
*/
private CertificateExtensions buildStandardExtensions(CertificateExtensions certExtensions, String dn, KeyPair keyPair, Set<X509ExtensionWrapper> providedExtensions, X509Certificate caCert, String alternateName) throws IOException {
/* The RFC states that KeyUsage SHOULD be marked as critical. In previous Candlepin code we were
* not marking it critical but this constructor will. I do not believe there should be any
* compatibility issues, but I am noting it just in case. */
KeyUsageExtension keyUsage = new KeyUsageExtension();
keyUsage.set(KeyUsageExtension.DIGITAL_SIGNATURE, true);
keyUsage.set(KeyUsageExtension.KEY_ENCIPHERMENT, true);
keyUsage.set(KeyUsageExtension.DATA_ENCIPHERMENT, true);
certExtensions.add(keyUsage);
// Not critical by default
ExtendedKeyUsageExtension extendedKeyUsage = new ExtendedKeyUsageExtension();
/* JSS doesn't have a constant defined for the "clientAuth" OID so we have to put it in by hand.
* See https://tools.ietf.org/html/rfc5280#appendix-A specifically id-kp-clientAuth. This OID
* denotes that a certificate is meant for client authentication over TLS */
extendedKeyUsage.addOID(new ObjectIdentifier("1.3.6.1.5.5.7.3.2"));
certExtensions.add(extendedKeyUsage);
// Not critical for non-CA certs. -1 pathLen means it won't be encoded.
BasicConstraintsExtension basicConstraints = new BasicConstraintsExtension(false, -1);
certExtensions.add(basicConstraints);
try {
/* Not critical by default. I am extremely dubious that we actually need this extension
* but I'm keeping it because our old cert creation code added it. */
NSCertTypeExtension netscapeCertType = new NSCertTypeExtension();
netscapeCertType.set(NSCertTypeExtension.SSL_CLIENT, true);
netscapeCertType.set(NSCertTypeExtension.EMAIL, true);
certExtensions.add(netscapeCertType);
} catch (CertificateException e) {
throw new IOException("Could not construct certificate extensions", e);
}
try {
/* The JSS SubjectKeyIdentifierExtension class expects you to give it the unencoded KeyIdentifier.
* The SubjectKeyIdentifierExtension class, however, returns the encoded KeyIdentifier (an DER
* octet string). Therefore, we need to unpack the KeyIdentifier. */
byte[] encodedSki = subjectKeyWriter.getSubjectKeyIdentifier(keyPair, providedExtensions);
OCTET_STRING extOctets = (OCTET_STRING) ASN1Util.decode(new OCTET_STRING.Template(), encodedSki);
// Required to be non-critical
SubjectKeyIdentifierExtension ski = new SubjectKeyIdentifierExtension(extOctets.toByteArray());
certExtensions.add(ski);
// Not critical by default
AuthorityKeyIdentifierExtension aki = buildAuthorityKeyIdentifier(caCert);
certExtensions.add(aki);
// Not critical by default and should *not* be critical since the subject field isn't empty
if (alternateName != null) {
SubjectAlternativeNameExtension altNames = new SubjectAlternativeNameExtension();
GeneralName[] akiName = new GeneralName[2];
akiName[0] = new GeneralName(new X500Name(dn));
akiName[1] = new GeneralName(new X500Name("CN=" + alternateName));
GeneralNames generalNames = new GeneralNames(akiName);
altNames.setGeneralNames(generalNames);
certExtensions.add(altNames);
}
} catch (InvalidBERException | GeneralNamesException | NoSuchAlgorithmException e) {
throw new IOException("Could not construct certificate extensions", e);
}
return certExtensions;
}
Also used :
ExtendedKeyUsageExtension(org.mozilla.jss.netscape.security.extensions.ExtendedKeyUsageExtension)
NSCertTypeExtension(org.mozilla.jss.netscape.security.extensions.NSCertTypeExtension)
SubjectAlternativeNameExtension(org.mozilla.jss.netscape.security.x509.SubjectAlternativeNameExtension)
CertificateException(java.security.cert.CertificateException)
IOException(java.io.IOException)
X500Name(org.mozilla.jss.netscape.security.x509.X500Name)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
SubjectKeyIdentifierExtension(org.mozilla.jss.netscape.security.x509.SubjectKeyIdentifierExtension)
InvalidBERException(org.mozilla.jss.asn1.InvalidBERException)
BasicConstraintsExtension(org.mozilla.jss.netscape.security.x509.BasicConstraintsExtension)
OCTET_STRING(org.mozilla.jss.asn1.OCTET_STRING)
GeneralNames(org.mozilla.jss.netscape.security.x509.GeneralNames)
GeneralNamesException(org.mozilla.jss.netscape.security.x509.GeneralNamesException)
AuthorityKeyIdentifierExtension(org.mozilla.jss.netscape.security.x509.AuthorityKeyIdentifierExtension)
GeneralName(org.mozilla.jss.netscape.security.x509.GeneralName)
KeyUsageExtension(org.mozilla.jss.netscape.security.x509.KeyUsageExtension)
ExtendedKeyUsageExtension(org.mozilla.jss.netscape.security.extensions.ExtendedKeyUsageExtension)
ObjectIdentifier(org.mozilla.jss.netscape.security.util.ObjectIdentifier)
Example 7 with InvalidBERException
use of org.mozilla.jss.asn1.InvalidBERException in project candlepin by candlepin.
the class JSSPKIUtility method buildAuthorityKeyIdentifier.
public static AuthorityKeyIdentifierExtension buildAuthorityKeyIdentifier(X509Certificate caCert) throws InvalidBERException, IOException {
// The subject key identifier of the CA becomes the Authority Key Identifer of the CRL.
byte[] extValue = caCert.getExtensionValue(PKIXExtensions.SubjectKey_Id.toString());
/* The getExtensionValue returns us the Extension extnValue element which is an octet string. For
* the SubjectKeyIdentifier extension the extnValue only contains a KeyIdentifier. The actual
* KeyIdentifier is also an octet string. The extnValue for the SubjectKeyIdentifier
* is therefore ultimately an octet string of an octet string. See Appendix A of RFC 5280. */
OCTET_STRING extOctets = (OCTET_STRING) ASN1Util.decode(new OCTET_STRING.Template(), extValue);
OCTET_STRING ski = (OCTET_STRING) ASN1Util.decode(new OCTET_STRING.Template(), extOctets.toByteArray());
if (ski == null) {
/* If the SubjectPublicKey extension isn't available, we can calculate the value ourselves
* from the certificate's public key. */
return buildAuthorityKeyIdentifier(caCert.getPublicKey());
}
/* RFC 5280 section 4.2.1.1 is a bit odd. It states the AuthorityKeyIdentifier MAY contain
* a KeyIdentifier or the issuer name and CertificateSerialNumber. The KeyIdentifier is mandatory for
* non-self-signed certificates, but there is no additional guidance about when or why one should
* provide the issuer name or CertificateSerialNumber. I've found at least one place,
* https://www.v13.gr/blog/?p=293, that explicitly recommends against giving them. Also,
* the semantics around the issuer field in this extension can be very confusing
* (see https://www.openssl.org/docs/faq.html#USER14). Our old crypto code that used BouncyCastle
* did include the issuer and serial number along with the key identifier, but I think it's best if
* we leave it out.
*/
KeyIdentifier ki = new KeyIdentifier(ski.toByteArray());
return new AuthorityKeyIdentifierExtension(ki, null, null);
}
Also used :
OCTET_STRING(org.mozilla.jss.asn1.OCTET_STRING)
KeyIdentifier(org.mozilla.jss.netscape.security.x509.KeyIdentifier)
AuthorityKeyIdentifierExtension(org.mozilla.jss.netscape.security.x509.AuthorityKeyIdentifierExtension)
Example 8 with InvalidBERException
use of org.mozilla.jss.asn1.InvalidBERException in project jss by dogtagpki.
the class CRLDistributionPoint method main.
public static void main(String[] args) throws GeneralNamesException, IOException, InvalidBERException {
try (FileOutputStream fos = new FileOutputStream(args[0]);
ByteArrayOutputStream bos = new ByteArrayOutputStream()) {
if (args.length != 1) {
System.out.println("Usage: CRLDistributionPoint <outfile>");
System.exit(-1);
}
SEQUENCE cdps = new SEQUENCE();
// URI only
CRLDistributionPoint cdp = new CRLDistributionPoint();
URIName uri = new URIName("http://www.mycrl.com/go/here");
GeneralNames generalNames = new GeneralNames();
generalNames.addElement(uri);
cdp.setFullName(generalNames);
cdps.addElement(cdp);
// DN only
cdp = new CRLDistributionPoint();
X500Name dn = new X500Name("CN=Otis Smith,E=otis@fedoraproject.org" + ",OU=Certificate Server,O=Fedora,C=US");
generalNames = new GeneralNames();
generalNames.addElement(dn);
cdp.setFullName(generalNames);
cdps.addElement(cdp);
// DN + reason
BitArray ba = new BitArray(5, new byte[] { (byte) 0x28 });
cdp = new CRLDistributionPoint();
cdp.setFullName(generalNames);
cdp.setReasons(ba);
cdps.addElement(cdp);
// relative DN + reason + crlIssuer
cdp = new CRLDistributionPoint();
RDN rdn = new RDN("OU=foobar dept");
cdp.setRelativeName(rdn);
cdp.setReasons(ba);
cdp.setCRLIssuer(generalNames);
cdps.addElement(cdp);
cdps.encode(bos);
byte[] encoded = bos.toByteArray();
fos.write(encoded);
SEQUENCE.OF_Template seqt = new SEQUENCE.OF_Template(getTemplate());
cdps = (SEQUENCE) ASN1Util.decode(seqt, encoded);
int size = cdps.size();
System.out.println("Total number of CDPs: " + size);
for (int i = 0; i < size; i++) {
System.out.println("\nCDP " + i);
cdp = (CRLDistributionPoint) cdps.elementAt(i);
GeneralNames gn = cdp.getFullName();
if (gn == null) {
System.out.println("No full name");
} else {
System.out.println(gn);
}
rdn = cdp.getRelativeName();
if (rdn == null) {
System.out.println("No relative name");
} else {
System.out.println(rdn);
}
if (cdp.getReasons() == null) {
System.out.println("No reasons");
} else {
System.out.println(cdp.getReasons());
}
gn = cdp.getCRLIssuer();
if (gn == null) {
System.out.println("No cRLIssuer");
} else {
System.out.println(gn);
}
}
System.out.println("Done");
}
}
Also used :
ByteArrayOutputStream(java.io.ByteArrayOutputStream)
FileOutputStream(java.io.FileOutputStream)
SEQUENCE(org.mozilla.jss.asn1.SEQUENCE)
BitArray(org.mozilla.jss.netscape.security.util.BitArray)
Example 9 with InvalidBERException
use of org.mozilla.jss.asn1.InvalidBERException in project jss by dogtagpki.
the class CRLDistributionPoint method setCRLIssuer.
/**
* Sets the CRLIssuer for the CRL at this distribution point.
* May be set to <code>null</code>.
*
* @exception GeneralNamesException If an error occurs encoding the name.
*/
public void setCRLIssuer(GeneralNames CRLIssuer) throws GeneralNamesException, IOException {
this.CRLIssuer = CRLIssuer;
if (CRLIssuer != null) {
// encode the name to catch any problems with it
DerOutputStream derOut = new DerOutputStream();
CRLIssuer.encode(derOut);
try {
ANY raw = new ANY(derOut.toByteArray());
ByteArrayOutputStream bos = new ByteArrayOutputStream();
raw.encodeWithAlternateTag(Tag.get(2), bos);
CRLIssuerEncoding = new ANY(bos.toByteArray());
} catch (InvalidBERException e) {
throw new GeneralNamesException(e.toString());
}
}
}
Also used :
InvalidBERException(org.mozilla.jss.asn1.InvalidBERException)
DerOutputStream(org.mozilla.jss.netscape.security.util.DerOutputStream)
ByteArrayOutputStream(java.io.ByteArrayOutputStream)
ANY(org.mozilla.jss.asn1.ANY)
Example 10 with InvalidBERException
use of org.mozilla.jss.asn1.InvalidBERException in project jss by dogtagpki.
the class CRLDistributionPoint method encode.
@Override
public void encode(Tag implicitTag, OutputStream ostream) throws IOException {
SEQUENCE seq = new SEQUENCE();
DerOutputStream derOut;
try {
// is a CHOICE, the [0] tag is forced to be EXPLICIT.
if (fullName != null) {
EXPLICIT distPoint = new EXPLICIT(Tag.get(0), fullNameEncoding);
seq.addElement(distPoint);
} else if (relativeName != null) {
derOut = new DerOutputStream();
relativeName.encode(derOut);
ANY rn = new ANY(derOut.toByteArray());
EXPLICIT raw = new EXPLICIT(Tag.get(1), rn);
ByteArrayOutputStream bos = new ByteArrayOutputStream();
raw.encode(bos);
ANY distPointName = new ANY(bos.toByteArray());
EXPLICIT distPoint = new EXPLICIT(Tag.get(0), distPointName);
seq.addElement(distPoint);
}
// Encodes the ReasonFlags.
if (reasons != null) {
derOut = new DerOutputStream();
derOut.putUnalignedBitString(reasons);
ANY raw = new ANY(derOut.toByteArray());
ByteArrayOutputStream bos = new ByteArrayOutputStream();
raw.encodeWithAlternateTag(Tag.get(1), bos);
ANY reasonEncoding = new ANY(bos.toByteArray());
seq.addElement(Tag.get(1), reasonEncoding);
}
// Encodes the CRLIssuer
if (CRLIssuer != null) {
seq.addElement(Tag.get(2), CRLIssuerEncoding);
}
seq.encode(implicitTag, ostream);
} catch (InvalidBERException e) {
// the Sun encoding classes
throw new IOException(e.toString());
}
}
Also used :
InvalidBERException(org.mozilla.jss.asn1.InvalidBERException)
DerOutputStream(org.mozilla.jss.netscape.security.util.DerOutputStream)
SEQUENCE(org.mozilla.jss.asn1.SEQUENCE)
ByteArrayOutputStream(java.io.ByteArrayOutputStream)
IOException(java.io.IOException)
ANY(org.mozilla.jss.asn1.ANY)
EXPLICIT(org.mozilla.jss.asn1.EXPLICIT)
Aggregations
InvalidBERException (org.mozilla.jss.asn1.InvalidBERException)11
ANY (org.mozilla.jss.asn1.ANY)8
ByteArrayOutputStream (java.io.ByteArrayOutputStream)6
OCTET_STRING (org.mozilla.jss.asn1.OCTET_STRING)6
SEQUENCE (org.mozilla.jss.asn1.SEQUENCE)6
CryptoToken (org.mozilla.jss.crypto.CryptoToken)6
ASN1Value (org.mozilla.jss.asn1.ASN1Value)5
DerOutputStream (org.mozilla.jss.netscape.security.util.DerOutputStream)5
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)4
EncryptionAlgorithm (org.mozilla.jss.crypto.EncryptionAlgorithm)4
SymmetricKey (org.mozilla.jss.crypto.SymmetricKey)4
IOException (java.io.IOException)3
InvalidAlgorithmParameterException (java.security.InvalidAlgorithmParameterException)3
AlgorithmParameterSpec (java.security.spec.AlgorithmParameterSpec)3
OBJECT_IDENTIFIER (org.mozilla.jss.asn1.OBJECT_IDENTIFIER)3
SET (org.mozilla.jss.asn1.SET)3
Cipher (org.mozilla.jss.crypto.Cipher)3
IVParameterSpec (org.mozilla.jss.crypto.IVParameterSpec)3
KeyGenAlgorithm (org.mozilla.jss.crypto.KeyGenAlgorithm)3
KeyGenerator (org.mozilla.jss.crypto.KeyGenerator)3
