use of org.mozilla.jss.netscape.security.util.ObjectIdentifier in project jss by dogtagpki.
the class OIDMap method addAttribute.
/**
* Add a name to lookup table.
*
* @param className the name of the fully qualified class implementing
* the asn object.
* @param oid the string representation of the object identifier for
* the class.
* @param name the name of the attribute.
* @exception CertificateException on errors.
*/
public static void addAttribute(String className, String oid, String name) throws CertificateException {
ObjectIdentifier objId = new ObjectIdentifier(oid);
if (oid2Name.get(objId) != null) {
throw new CertificateException("Object identifier already exists.");
}
if (name2OID.get(name) != null) {
throw new CertificateException("Name already exists.");
}
if (name2Class.get(className) != null) {
throw new CertificateException("Class already exists.");
}
oid2Name.put(objId, name);
name2OID.put(name, objId);
name2Class.put(name, className);
}
use of org.mozilla.jss.netscape.security.util.ObjectIdentifier in project jss by dogtagpki.
the class CertificatePoliciesExtension method main.
public static void main(String[] args) {
/**
* From ASN.1 dump
*
* 0 30 133: SEQUENCE {
* 3 30 45: . SEQUENCE {
* 5 06 3: . . OBJECT IDENTIFIER '1 2 3 5'
* 10 30 38: . . SEQUENCE {
* 12 30 36: . . . SEQUENCE {
* 14 06 8: . . . . OBJECT IDENTIFIER cps (1 3 6 1 5 5 7 2 1)
* : . . . . . (PKIX policy qualifier)
* 24 16 24: . . . . IA5String 'http://home.netscape.com'
* : . . . . }
* : . . . }
* : . . }
* 50 30 84: . SEQUENCE {
* 52 06 2: . . OBJECT IDENTIFIER '2 3 5'
* 56 30 78: . . SEQUENCE {
* 58 30 36: . . . SEQUENCE {
* 60 06 8: . . . . OBJECT IDENTIFIER cps (1 3 6 1 5 5 7 2 1)
* : . . . . . (PKIX policy qualifier)
* 70 16 24: . . . . IA5String 'http://home.netscape.com'
* : . . . . }
* 96 30 38: . . . SEQUENCE {
* 98 06 8: . . . . OBJECT IDENTIFIER unotice (1 3 6 1 5 5 7 2 2)
* : . . . . . (PKIX policy qualifier)
* 108 30 26: . . . . SEQUENCE {
* 110 30 16: . . . . . SEQUENCE {
* 112 1E 8: . . . . . . BMPString (1993) '_..o.r.g'
* 122 02 1: . . . . . . INTEGER 1
* 125 02 1: . . . . . . INTEGER 2
* : . . . . . . }
* 128 1E 6: . . . . . BMPString (1993) '_..d.t'
* : . . . . . }
* : . . . . }
* : . . . }
* : . . }
* : . }
*/
CertificatePolicyId plcyId0 = new CertificatePolicyId(new ObjectIdentifier("1.2.3.5"));
PolicyQualifiers qualifiers0 = new PolicyQualifiers();
CPSuri cpsQualifier0 = new CPSuri("http://home.netscape.com");
PolicyQualifierInfo qualifierInfo0 = new PolicyQualifierInfo(PolicyQualifierInfo.QT_CPS, cpsQualifier0);
qualifiers0.add(qualifierInfo0);
CertificatePolicyInfo info0 = new CertificatePolicyInfo(plcyId0, qualifiers0);
CertificatePolicyId plcyId1 = new CertificatePolicyId(new ObjectIdentifier("2.3.5"));
PolicyQualifiers qualifiers1 = new PolicyQualifiers();
DisplayText org1 = new DisplayText(DisplayText.tag_BMPString, "org");
int[] nums = { 1, 2 };
NoticeReference nr1 = new NoticeReference(org1, nums);
DisplayText dt1 = new DisplayText(DisplayText.tag_BMPString, "dt");
UserNotice userNotice1 = new UserNotice(nr1, dt1);
PolicyQualifierInfo qualifierInfo1 = new PolicyQualifierInfo(PolicyQualifierInfo.QT_UNOTICE, userNotice1);
qualifiers1.add(qualifierInfo0);
qualifiers1.add(qualifierInfo1);
CertificatePolicyInfo info1 = new CertificatePolicyInfo(plcyId1, qualifiers1);
Vector<CertificatePolicyInfo> infos = new Vector<>();
infos.addElement(info0);
infos.addElement(info1);
try {
CertificatePoliciesExtension ext = new CertificatePoliciesExtension(infos);
// BASE64 encode the whole thing and write it to stdout
System.out.println(Utils.base64encode(ext.getExtensionValue(), true));
} catch (IOException e) {
System.out.println(e.toString());
}
}
use of org.mozilla.jss.netscape.security.util.ObjectIdentifier in project candlepin by candlepin.
the class JSSPKIUtility method buildStandardExtensions.
/**
* Add boilerplate extensions required by RFC 5280.
* @param certExtensions a CertificateExtensions object to modify
* @param keyPair the KeyPair used to create the SubjectKeyIdentifier extension
* @param providedExtensions A Set of provided extensions that will be added to the certificate. In some
* cases (hosted mode) access to the information in those extensions is required for creating the
* subjectKeyIdentifier.
*
* @return a modified version of the certExtensions parameter
* @throws IOException in case of encoding failures
*/
private CertificateExtensions buildStandardExtensions(CertificateExtensions certExtensions, String dn, KeyPair keyPair, Set<X509ExtensionWrapper> providedExtensions, X509Certificate caCert, String alternateName) throws IOException {
/* The RFC states that KeyUsage SHOULD be marked as critical. In previous Candlepin code we were
* not marking it critical but this constructor will. I do not believe there should be any
* compatibility issues, but I am noting it just in case. */
KeyUsageExtension keyUsage = new KeyUsageExtension();
keyUsage.set(KeyUsageExtension.DIGITAL_SIGNATURE, true);
keyUsage.set(KeyUsageExtension.KEY_ENCIPHERMENT, true);
keyUsage.set(KeyUsageExtension.DATA_ENCIPHERMENT, true);
certExtensions.add(keyUsage);
// Not critical by default
ExtendedKeyUsageExtension extendedKeyUsage = new ExtendedKeyUsageExtension();
/* JSS doesn't have a constant defined for the "clientAuth" OID so we have to put it in by hand.
* See https://tools.ietf.org/html/rfc5280#appendix-A specifically id-kp-clientAuth. This OID
* denotes that a certificate is meant for client authentication over TLS */
extendedKeyUsage.addOID(new ObjectIdentifier("1.3.6.1.5.5.7.3.2"));
certExtensions.add(extendedKeyUsage);
// Not critical for non-CA certs. -1 pathLen means it won't be encoded.
BasicConstraintsExtension basicConstraints = new BasicConstraintsExtension(false, -1);
certExtensions.add(basicConstraints);
try {
/* Not critical by default. I am extremely dubious that we actually need this extension
* but I'm keeping it because our old cert creation code added it. */
NSCertTypeExtension netscapeCertType = new NSCertTypeExtension();
netscapeCertType.set(NSCertTypeExtension.SSL_CLIENT, true);
netscapeCertType.set(NSCertTypeExtension.EMAIL, true);
certExtensions.add(netscapeCertType);
} catch (CertificateException e) {
throw new IOException("Could not construct certificate extensions", e);
}
try {
/* The JSS SubjectKeyIdentifierExtension class expects you to give it the unencoded KeyIdentifier.
* The SubjectKeyIdentifierExtension class, however, returns the encoded KeyIdentifier (an DER
* octet string). Therefore, we need to unpack the KeyIdentifier. */
byte[] encodedSki = subjectKeyWriter.getSubjectKeyIdentifier(keyPair, providedExtensions);
OCTET_STRING extOctets = (OCTET_STRING) ASN1Util.decode(new OCTET_STRING.Template(), encodedSki);
// Required to be non-critical
SubjectKeyIdentifierExtension ski = new SubjectKeyIdentifierExtension(extOctets.toByteArray());
certExtensions.add(ski);
// Not critical by default
AuthorityKeyIdentifierExtension aki = buildAuthorityKeyIdentifier(caCert);
certExtensions.add(aki);
// Not critical by default and should *not* be critical since the subject field isn't empty
if (alternateName != null) {
SubjectAlternativeNameExtension altNames = new SubjectAlternativeNameExtension();
GeneralName[] akiName = new GeneralName[2];
akiName[0] = new GeneralName(new X500Name(dn));
akiName[1] = new GeneralName(new X500Name("CN=" + alternateName));
GeneralNames generalNames = new GeneralNames(akiName);
altNames.setGeneralNames(generalNames);
certExtensions.add(altNames);
}
} catch (InvalidBERException | GeneralNamesException | NoSuchAlgorithmException e) {
throw new IOException("Could not construct certificate extensions", e);
}
return certExtensions;
}
use of org.mozilla.jss.netscape.security.util.ObjectIdentifier in project jss by dogtagpki.
the class AlgorithmId method parse.
/**
* Parse (unmarshal) an ID from a DER sequence input value. This form
* parsing might be used when expanding a value which has already been
* partially unmarshaled as a set or sequence member.
*
* @exception IOException on error.
* @param val the input value, which contains the algid and, if
* there are any parameters, those parameters.
* @return an ID for the algorithm. If the system is configured
* appropriately, this may be an instance of a class
* with some kind of special support for this algorithm.
* In that case, you may "narrow" the type of the ID.
*/
public static AlgorithmId parse(DerValue val) throws IOException {
if (val.tag != DerValue.tag_Sequence)
throw new IOException("algid parse error, not a sequence");
/*
* Get the algorithm ID and any parameters.
*/
ObjectIdentifier algid;
DerValue params;
DerInputStream in = val.toDerInputStream();
algid = in.getOID();
if (in.available() == 0)
params = null;
else {
params = in.getDerValue();
if (params.tag == DerValue.tag_Null)
params = null;
}
/*
* Figure out what class (if any) knows about this oid's
* parameters. Make one, and give it the data to decode.
*/
AlgorithmId alg = null;
// omit parameter field for ECDSA
if (!algid.equals(sha224WithEC_oid) && !algid.equals(sha256WithEC_oid) && !algid.equals(sha384WithEC_oid) && !algid.equals(sha512WithEC_oid)) {
alg = new AlgorithmId(algid, params);
} else {
try {
alg = new AlgorithmId(algid);
} catch (Exception e) {
throw new IOException(e);
}
}
if (params != null)
alg.decodeParams();
/*
* Set the raw params string in case
* higher level code might want the info
*/
String paramStr = null;
if (params != null) {
paramStr = params.toString();
}
alg.setParametersString(paramStr);
return alg;
}
use of org.mozilla.jss.netscape.security.util.ObjectIdentifier in project jss by dogtagpki.
the class PKCS9Attributes method decode.
/**
* Decode this set of PKCS9 attribute set from the contents of its
* DER encoding.
*
* @param buf
* the contents of the DER encoding of the attribute set.
*
* @exception IOException
* on i/o error, encoding syntax error, unacceptable or
* unsupported attribute, or duplicate attribute.
*/
private byte[] decode(DerInputStream in) throws IOException {
DerValue val = in.getDerValue();
// save the DER encoding with its proper tag byte.
byte[] derEncoding = val.toByteArray();
derEncoding[0] = DerValue.tag_SetOf;
DerInputStream derIn = new DerInputStream(derEncoding);
DerValue[] derVals = derIn.getSet(3, true);
PKCS9Attribute attrib;
ObjectIdentifier oid;
for (int i = 0; i < derVals.length; i++) {
attrib = new PKCS9Attribute(derVals[i]);
oid = attrib.getOID();
if (attributes.get(oid) != null)
throw new IOException("Duplicate PKCS9 attribute: " + oid);
if (permittedAttributes != null && !permittedAttributes.containsKey(oid))
throw new IOException("Attribute " + oid + " not permitted in this attribute set");
attributes.put(oid, attrib);
}
return derEncoding;
}
Aggregations