Examples with NSCertTypeExtension org.mozilla.jss.netscape.security.extensions.NSCertTypeExtension used on opensource projects

Example 1 with NSCertTypeExtension

use of org.mozilla.jss.netscape.security.extensions.NSCertTypeExtension in project jss by dogtagpki.

the class ExtPrettyPrint method getCertType.

/**
 * String Representation of NSCertTypeExtension
 */
private String getCertType() {
    StringBuffer sb = new StringBuffer();
    try {
        sb.append(pp.indent(mIndentSize) + mResource.getString(PrettyPrintResources.TOKEN_IDENTIFIER));
        sb.append(mResource.getString(PrettyPrintResources.TOKEN_CERT_TYPE) + "- " + mExt.getExtensionId().toString() + "\n");
        sb.append(pp.indent(mIndentSize + 4) + mResource.getString(PrettyPrintResources.TOKEN_CRITICAL));
        if (mExt.isCritical()) {
            sb.append(mResource.getString(PrettyPrintResources.TOKEN_YES) + "\n");
        } else {
            sb.append(mResource.getString(PrettyPrintResources.TOKEN_NO) + "\n");
        }
        sb.append(pp.indent(mIndentSize + 4) + mResource.getString(PrettyPrintResources.TOKEN_CERT_USAGE) + "\n");
        NSCertTypeExtension type = (NSCertTypeExtension) mExt;
        if (((Boolean) type.get(NSCertTypeExtension.SSL_CLIENT)).booleanValue()) {
            sb.append(pp.indent(mIndentSize + 8) + mResource.getString(NSCertTypeExtension.SSL_CLIENT) + "\n");
        }
        if (((Boolean) type.get(NSCertTypeExtension.SSL_SERVER)).booleanValue()) {
            sb.append(pp.indent(mIndentSize + 8) + mResource.getString(NSCertTypeExtension.SSL_SERVER) + "\n");
        }
        if (((Boolean) type.get(NSCertTypeExtension.EMAIL)).booleanValue()) {
            sb.append(pp.indent(mIndentSize + 8) + mResource.getString(NSCertTypeExtension.EMAIL) + "\n");
        }
        if (((Boolean) type.get(NSCertTypeExtension.OBJECT_SIGNING)).booleanValue()) {
            sb.append(pp.indent(mIndentSize + 8) + mResource.getString(NSCertTypeExtension.OBJECT_SIGNING) + "\n");
        }
        if (((Boolean) type.get(NSCertTypeExtension.SSL_CA)).booleanValue()) {
            sb.append(pp.indent(mIndentSize + 8) + mResource.getString(NSCertTypeExtension.SSL_CA) + "\n");
        }
        if (((Boolean) type.get(NSCertTypeExtension.EMAIL_CA)).booleanValue()) {
            sb.append(pp.indent(mIndentSize + 8) + mResource.getString(NSCertTypeExtension.EMAIL_CA) + "\n");
        }
        if (((Boolean) type.get(NSCertTypeExtension.OBJECT_SIGNING_CA)).booleanValue()) {
            sb.append(pp.indent(mIndentSize + 8) + mResource.getString(NSCertTypeExtension.OBJECT_SIGNING_CA) + "\n");
        }
        return sb.toString();
    } catch (CertificateException e) {
        e.printStackTrace();
        return "";
    }
}

Example 2 with NSCertTypeExtension

use of org.mozilla.jss.netscape.security.extensions.NSCertTypeExtension in project candlepin by candlepin.

the class JSSPKIUtility method buildStandardExtensions.

/**
 * Add boilerplate extensions required by RFC 5280.
 * @param certExtensions a CertificateExtensions object to modify
 * @param keyPair the KeyPair used to create the SubjectKeyIdentifier extension
 * @param providedExtensions A Set of provided extensions that will be added to the certificate.  In some
 * cases (hosted mode) access to the information in those extensions is required for creating the
 * subjectKeyIdentifier.
 *
 * @return a modified version of the certExtensions parameter
 * @throws IOException in case of encoding failures
 */
private CertificateExtensions buildStandardExtensions(CertificateExtensions certExtensions, String dn, KeyPair keyPair, Set<X509ExtensionWrapper> providedExtensions, X509Certificate caCert, String alternateName) throws IOException {
    /* The RFC states that KeyUsage SHOULD be marked as critical.  In previous Candlepin code we were
         * not marking it critical but this constructor will.  I do not believe there should be any
         * compatibility issues, but I am noting it just in case. */
    KeyUsageExtension keyUsage = new KeyUsageExtension();
    keyUsage.set(KeyUsageExtension.DIGITAL_SIGNATURE, true);
    keyUsage.set(KeyUsageExtension.KEY_ENCIPHERMENT, true);
    keyUsage.set(KeyUsageExtension.DATA_ENCIPHERMENT, true);
    certExtensions.add(keyUsage);
    // Not critical by default
    ExtendedKeyUsageExtension extendedKeyUsage = new ExtendedKeyUsageExtension();
    /* JSS doesn't have a constant defined for the "clientAuth" OID so we have to put it in by hand.
         * See https://tools.ietf.org/html/rfc5280#appendix-A specifically id-kp-clientAuth.  This OID
         * denotes that a certificate is meant for client authentication over TLS */
    extendedKeyUsage.addOID(new ObjectIdentifier("1.3.6.1.5.5.7.3.2"));
    certExtensions.add(extendedKeyUsage);
    // Not critical for non-CA certs.  -1 pathLen means it won't be encoded.
    BasicConstraintsExtension basicConstraints = new BasicConstraintsExtension(false, -1);
    certExtensions.add(basicConstraints);
    try {
        /* Not critical by default.  I am extremely dubious that we actually need this extension
             * but I'm keeping it because our old cert creation code added it. */
        NSCertTypeExtension netscapeCertType = new NSCertTypeExtension();
        netscapeCertType.set(NSCertTypeExtension.SSL_CLIENT, true);
        netscapeCertType.set(NSCertTypeExtension.EMAIL, true);
        certExtensions.add(netscapeCertType);
    } catch (CertificateException e) {
        throw new IOException("Could not construct certificate extensions", e);
    }
    try {
        /* The JSS SubjectKeyIdentifierExtension class expects you to give it the unencoded KeyIdentifier.
             * The SubjectKeyIdentifierExtension class, however, returns the encoded KeyIdentifier (an DER
             * octet string).  Therefore, we need to unpack the KeyIdentifier. */
        byte[] encodedSki = subjectKeyWriter.getSubjectKeyIdentifier(keyPair, providedExtensions);
        OCTET_STRING extOctets = (OCTET_STRING) ASN1Util.decode(new OCTET_STRING.Template(), encodedSki);
        // Required to be non-critical
        SubjectKeyIdentifierExtension ski = new SubjectKeyIdentifierExtension(extOctets.toByteArray());
        certExtensions.add(ski);
        // Not critical by default
        AuthorityKeyIdentifierExtension aki = buildAuthorityKeyIdentifier(caCert);
        certExtensions.add(aki);
        // Not critical by default and should *not* be critical since the subject field isn't empty
        if (alternateName != null) {
            SubjectAlternativeNameExtension altNames = new SubjectAlternativeNameExtension();
            GeneralName[] akiName = new GeneralName[2];
            akiName[0] = new GeneralName(new X500Name(dn));
            akiName[1] = new GeneralName(new X500Name("CN=" + alternateName));
            GeneralNames generalNames = new GeneralNames(akiName);
            altNames.setGeneralNames(generalNames);
            certExtensions.add(altNames);
        }
    } catch (InvalidBERException | GeneralNamesException | NoSuchAlgorithmException e) {
        throw new IOException("Could not construct certificate extensions", e);
    }
    return certExtensions;
}