Search in sources :

Example 11 with ObjectIdentifier

use of org.mozilla.jss.netscape.security.util.ObjectIdentifier in project jss by dogtagpki.

the class OIDMap method addAttribute.

/**
 * Add a name to lookup table.
 *
 * @param className the name of the fully qualified class implementing
 *            the asn object.
 * @param oid the string representation of the object identifier for
 *            the class.
 * @param name the name of the attribute.
 * @exception CertificateException on errors.
 */
public static void addAttribute(String className, String oid, String name) throws CertificateException {
    ObjectIdentifier objId = new ObjectIdentifier(oid);
    if (oid2Name.get(objId) != null) {
        throw new CertificateException("Object identifier already exists.");
    }
    if (name2OID.get(name) != null) {
        throw new CertificateException("Name already exists.");
    }
    if (name2Class.get(className) != null) {
        throw new CertificateException("Class already exists.");
    }
    oid2Name.put(objId, name);
    name2OID.put(name, objId);
    name2Class.put(name, className);
}
Also used : CertificateException(java.security.cert.CertificateException) ObjectIdentifier(org.mozilla.jss.netscape.security.util.ObjectIdentifier)

Example 12 with ObjectIdentifier

use of org.mozilla.jss.netscape.security.util.ObjectIdentifier in project jss by dogtagpki.

the class CertificatePoliciesExtension method main.

public static void main(String[] args) {
    /**
     * From ASN.1 dump
     *
     * 0 30 133: SEQUENCE {
     * 3 30 45: . SEQUENCE {
     * 5 06 3: . . OBJECT IDENTIFIER '1 2 3 5'
     * 10 30 38: . . SEQUENCE {
     * 12 30 36: . . . SEQUENCE {
     * 14 06 8: . . . . OBJECT IDENTIFIER cps (1 3 6 1 5 5 7 2 1)
     * : . . . . . (PKIX policy qualifier)
     * 24 16 24: . . . . IA5String 'http://home.netscape.com'
     * : . . . . }
     * : . . . }
     * : . . }
     * 50 30 84: . SEQUENCE {
     * 52 06 2: . . OBJECT IDENTIFIER '2 3 5'
     * 56 30 78: . . SEQUENCE {
     * 58 30 36: . . . SEQUENCE {
     * 60 06 8: . . . . OBJECT IDENTIFIER cps (1 3 6 1 5 5 7 2 1)
     * : . . . . . (PKIX policy qualifier)
     * 70 16 24: . . . . IA5String 'http://home.netscape.com'
     * : . . . . }
     * 96 30 38: . . . SEQUENCE {
     * 98 06 8: . . . . OBJECT IDENTIFIER unotice (1 3 6 1 5 5 7 2 2)
     * : . . . . . (PKIX policy qualifier)
     * 108 30 26: . . . . SEQUENCE {
     * 110 30 16: . . . . . SEQUENCE {
     * 112 1E 8: . . . . . . BMPString (1993) '_..o.r.g'
     * 122 02 1: . . . . . . INTEGER 1
     * 125 02 1: . . . . . . INTEGER 2
     * : . . . . . . }
     * 128 1E 6: . . . . . BMPString (1993) '_..d.t'
     * : . . . . . }
     * : . . . . }
     * : . . . }
     * : . . }
     * : . }
     */
    CertificatePolicyId plcyId0 = new CertificatePolicyId(new ObjectIdentifier("1.2.3.5"));
    PolicyQualifiers qualifiers0 = new PolicyQualifiers();
    CPSuri cpsQualifier0 = new CPSuri("http://home.netscape.com");
    PolicyQualifierInfo qualifierInfo0 = new PolicyQualifierInfo(PolicyQualifierInfo.QT_CPS, cpsQualifier0);
    qualifiers0.add(qualifierInfo0);
    CertificatePolicyInfo info0 = new CertificatePolicyInfo(plcyId0, qualifiers0);
    CertificatePolicyId plcyId1 = new CertificatePolicyId(new ObjectIdentifier("2.3.5"));
    PolicyQualifiers qualifiers1 = new PolicyQualifiers();
    DisplayText org1 = new DisplayText(DisplayText.tag_BMPString, "org");
    int[] nums = { 1, 2 };
    NoticeReference nr1 = new NoticeReference(org1, nums);
    DisplayText dt1 = new DisplayText(DisplayText.tag_BMPString, "dt");
    UserNotice userNotice1 = new UserNotice(nr1, dt1);
    PolicyQualifierInfo qualifierInfo1 = new PolicyQualifierInfo(PolicyQualifierInfo.QT_UNOTICE, userNotice1);
    qualifiers1.add(qualifierInfo0);
    qualifiers1.add(qualifierInfo1);
    CertificatePolicyInfo info1 = new CertificatePolicyInfo(plcyId1, qualifiers1);
    Vector<CertificatePolicyInfo> infos = new Vector<>();
    infos.addElement(info0);
    infos.addElement(info1);
    try {
        CertificatePoliciesExtension ext = new CertificatePoliciesExtension(infos);
        // BASE64 encode the whole thing and write it to stdout
        System.out.println(Utils.base64encode(ext.getExtensionValue(), true));
    } catch (IOException e) {
        System.out.println(e.toString());
    }
}
Also used : IOException(java.io.IOException) Vector(java.util.Vector) ObjectIdentifier(org.mozilla.jss.netscape.security.util.ObjectIdentifier)

Example 13 with ObjectIdentifier

use of org.mozilla.jss.netscape.security.util.ObjectIdentifier in project candlepin by candlepin.

the class JSSPKIUtility method buildStandardExtensions.

/**
 * Add boilerplate extensions required by RFC 5280.
 * @param certExtensions a CertificateExtensions object to modify
 * @param keyPair the KeyPair used to create the SubjectKeyIdentifier extension
 * @param providedExtensions A Set of provided extensions that will be added to the certificate.  In some
 * cases (hosted mode) access to the information in those extensions is required for creating the
 * subjectKeyIdentifier.
 *
 * @return a modified version of the certExtensions parameter
 * @throws IOException in case of encoding failures
 */
private CertificateExtensions buildStandardExtensions(CertificateExtensions certExtensions, String dn, KeyPair keyPair, Set<X509ExtensionWrapper> providedExtensions, X509Certificate caCert, String alternateName) throws IOException {
    /* The RFC states that KeyUsage SHOULD be marked as critical.  In previous Candlepin code we were
         * not marking it critical but this constructor will.  I do not believe there should be any
         * compatibility issues, but I am noting it just in case. */
    KeyUsageExtension keyUsage = new KeyUsageExtension();
    keyUsage.set(KeyUsageExtension.DIGITAL_SIGNATURE, true);
    keyUsage.set(KeyUsageExtension.KEY_ENCIPHERMENT, true);
    keyUsage.set(KeyUsageExtension.DATA_ENCIPHERMENT, true);
    certExtensions.add(keyUsage);
    // Not critical by default
    ExtendedKeyUsageExtension extendedKeyUsage = new ExtendedKeyUsageExtension();
    /* JSS doesn't have a constant defined for the "clientAuth" OID so we have to put it in by hand.
         * See https://tools.ietf.org/html/rfc5280#appendix-A specifically id-kp-clientAuth.  This OID
         * denotes that a certificate is meant for client authentication over TLS */
    extendedKeyUsage.addOID(new ObjectIdentifier("1.3.6.1.5.5.7.3.2"));
    certExtensions.add(extendedKeyUsage);
    // Not critical for non-CA certs.  -1 pathLen means it won't be encoded.
    BasicConstraintsExtension basicConstraints = new BasicConstraintsExtension(false, -1);
    certExtensions.add(basicConstraints);
    try {
        /* Not critical by default.  I am extremely dubious that we actually need this extension
             * but I'm keeping it because our old cert creation code added it. */
        NSCertTypeExtension netscapeCertType = new NSCertTypeExtension();
        netscapeCertType.set(NSCertTypeExtension.SSL_CLIENT, true);
        netscapeCertType.set(NSCertTypeExtension.EMAIL, true);
        certExtensions.add(netscapeCertType);
    } catch (CertificateException e) {
        throw new IOException("Could not construct certificate extensions", e);
    }
    try {
        /* The JSS SubjectKeyIdentifierExtension class expects you to give it the unencoded KeyIdentifier.
             * The SubjectKeyIdentifierExtension class, however, returns the encoded KeyIdentifier (an DER
             * octet string).  Therefore, we need to unpack the KeyIdentifier. */
        byte[] encodedSki = subjectKeyWriter.getSubjectKeyIdentifier(keyPair, providedExtensions);
        OCTET_STRING extOctets = (OCTET_STRING) ASN1Util.decode(new OCTET_STRING.Template(), encodedSki);
        // Required to be non-critical
        SubjectKeyIdentifierExtension ski = new SubjectKeyIdentifierExtension(extOctets.toByteArray());
        certExtensions.add(ski);
        // Not critical by default
        AuthorityKeyIdentifierExtension aki = buildAuthorityKeyIdentifier(caCert);
        certExtensions.add(aki);
        // Not critical by default and should *not* be critical since the subject field isn't empty
        if (alternateName != null) {
            SubjectAlternativeNameExtension altNames = new SubjectAlternativeNameExtension();
            GeneralName[] akiName = new GeneralName[2];
            akiName[0] = new GeneralName(new X500Name(dn));
            akiName[1] = new GeneralName(new X500Name("CN=" + alternateName));
            GeneralNames generalNames = new GeneralNames(akiName);
            altNames.setGeneralNames(generalNames);
            certExtensions.add(altNames);
        }
    } catch (InvalidBERException | GeneralNamesException | NoSuchAlgorithmException e) {
        throw new IOException("Could not construct certificate extensions", e);
    }
    return certExtensions;
}
Also used : ExtendedKeyUsageExtension(org.mozilla.jss.netscape.security.extensions.ExtendedKeyUsageExtension) NSCertTypeExtension(org.mozilla.jss.netscape.security.extensions.NSCertTypeExtension) SubjectAlternativeNameExtension(org.mozilla.jss.netscape.security.x509.SubjectAlternativeNameExtension) CertificateException(java.security.cert.CertificateException) IOException(java.io.IOException) X500Name(org.mozilla.jss.netscape.security.x509.X500Name) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) SubjectKeyIdentifierExtension(org.mozilla.jss.netscape.security.x509.SubjectKeyIdentifierExtension) InvalidBERException(org.mozilla.jss.asn1.InvalidBERException) BasicConstraintsExtension(org.mozilla.jss.netscape.security.x509.BasicConstraintsExtension) OCTET_STRING(org.mozilla.jss.asn1.OCTET_STRING) GeneralNames(org.mozilla.jss.netscape.security.x509.GeneralNames) GeneralNamesException(org.mozilla.jss.netscape.security.x509.GeneralNamesException) AuthorityKeyIdentifierExtension(org.mozilla.jss.netscape.security.x509.AuthorityKeyIdentifierExtension) GeneralName(org.mozilla.jss.netscape.security.x509.GeneralName) KeyUsageExtension(org.mozilla.jss.netscape.security.x509.KeyUsageExtension) ExtendedKeyUsageExtension(org.mozilla.jss.netscape.security.extensions.ExtendedKeyUsageExtension) ObjectIdentifier(org.mozilla.jss.netscape.security.util.ObjectIdentifier)

Example 14 with ObjectIdentifier

use of org.mozilla.jss.netscape.security.util.ObjectIdentifier in project jss by dogtagpki.

the class AlgorithmId method parse.

/**
 * Parse (unmarshal) an ID from a DER sequence input value. This form
 * parsing might be used when expanding a value which has already been
 * partially unmarshaled as a set or sequence member.
 *
 * @exception IOException on error.
 * @param val the input value, which contains the algid and, if
 *            there are any parameters, those parameters.
 * @return an ID for the algorithm. If the system is configured
 *         appropriately, this may be an instance of a class
 *         with some kind of special support for this algorithm.
 *         In that case, you may "narrow" the type of the ID.
 */
public static AlgorithmId parse(DerValue val) throws IOException {
    if (val.tag != DerValue.tag_Sequence)
        throw new IOException("algid parse error, not a sequence");
    /*
         * Get the algorithm ID and any parameters.
         */
    ObjectIdentifier algid;
    DerValue params;
    DerInputStream in = val.toDerInputStream();
    algid = in.getOID();
    if (in.available() == 0)
        params = null;
    else {
        params = in.getDerValue();
        if (params.tag == DerValue.tag_Null)
            params = null;
    }
    /*
         * Figure out what class (if any) knows about this oid's
         * parameters.  Make one, and give it the data to decode.
         */
    AlgorithmId alg = null;
    // omit parameter field for ECDSA
    if (!algid.equals(sha224WithEC_oid) && !algid.equals(sha256WithEC_oid) && !algid.equals(sha384WithEC_oid) && !algid.equals(sha512WithEC_oid)) {
        alg = new AlgorithmId(algid, params);
    } else {
        try {
            alg = new AlgorithmId(algid);
        } catch (Exception e) {
            throw new IOException(e);
        }
    }
    if (params != null)
        alg.decodeParams();
    /*
         * Set the raw params string in case
         * higher level code might want the info
        */
    String paramStr = null;
    if (params != null) {
        paramStr = params.toString();
    }
    alg.setParametersString(paramStr);
    return alg;
}
Also used : DerValue(org.mozilla.jss.netscape.security.util.DerValue) DerInputStream(org.mozilla.jss.netscape.security.util.DerInputStream) IOException(java.io.IOException) IOException(java.io.IOException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) InvalidParameterSpecException(java.security.spec.InvalidParameterSpecException) NoSuchProviderException(java.security.NoSuchProviderException) ObjectIdentifier(org.mozilla.jss.netscape.security.util.ObjectIdentifier)

Example 15 with ObjectIdentifier

use of org.mozilla.jss.netscape.security.util.ObjectIdentifier in project jss by dogtagpki.

the class PKCS9Attributes method decode.

/**
 * Decode this set of PKCS9 attribute set from the contents of its
 * DER encoding.
 *
 * @param buf
 *            the contents of the DER encoding of the attribute set.
 *
 * @exception IOException
 *                on i/o error, encoding syntax error, unacceptable or
 *                unsupported attribute, or duplicate attribute.
 */
private byte[] decode(DerInputStream in) throws IOException {
    DerValue val = in.getDerValue();
    // save the DER encoding with its proper tag byte.
    byte[] derEncoding = val.toByteArray();
    derEncoding[0] = DerValue.tag_SetOf;
    DerInputStream derIn = new DerInputStream(derEncoding);
    DerValue[] derVals = derIn.getSet(3, true);
    PKCS9Attribute attrib;
    ObjectIdentifier oid;
    for (int i = 0; i < derVals.length; i++) {
        attrib = new PKCS9Attribute(derVals[i]);
        oid = attrib.getOID();
        if (attributes.get(oid) != null)
            throw new IOException("Duplicate PKCS9 attribute: " + oid);
        if (permittedAttributes != null && !permittedAttributes.containsKey(oid))
            throw new IOException("Attribute " + oid + " not permitted in this attribute set");
        attributes.put(oid, attrib);
    }
    return derEncoding;
}
Also used : DerValue(org.mozilla.jss.netscape.security.util.DerValue) DerInputStream(org.mozilla.jss.netscape.security.util.DerInputStream) IOException(java.io.IOException) ObjectIdentifier(org.mozilla.jss.netscape.security.util.ObjectIdentifier)

Aggregations

ObjectIdentifier (org.mozilla.jss.netscape.security.util.ObjectIdentifier)27 IOException (java.io.IOException)21 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)8 CertificateException (java.security.cert.CertificateException)8 DerOutputStream (org.mozilla.jss.netscape.security.util.DerOutputStream)8 DerValue (org.mozilla.jss.netscape.security.util.DerValue)8 InvalidKeyException (java.security.InvalidKeyException)7 NoSuchProviderException (java.security.NoSuchProviderException)7 SignatureException (java.security.SignatureException)7 CertificateEncodingException (java.security.cert.CertificateEncodingException)5 CertificateExpiredException (java.security.cert.CertificateExpiredException)5 CertificateNotYetValidException (java.security.cert.CertificateNotYetValidException)5 CertificateParsingException (java.security.cert.CertificateParsingException)5 DerInputStream (org.mozilla.jss.netscape.security.util.DerInputStream)5 GeneralName (org.mozilla.jss.netscape.security.x509.GeneralName)3 CRLException (java.security.cert.CRLException)2 CertificateExtensions (org.mozilla.jss.netscape.security.x509.CertificateExtensions)2 ByteArrayOutputStream (java.io.ByteArrayOutputStream)1 CharArrayWriter (java.io.CharArrayWriter)1 File (java.io.File)1