Examples with AuthorityKeyIdentifierExtension org.mozilla.jss.netscape.security.x509.AuthorityKeyIdentifierExtension used on opensource projects

Example 6 with AuthorityKeyIdentifierExtension

use of org.mozilla.jss.netscape.security.x509.AuthorityKeyIdentifierExtension in project jdk8u_jdk by JetBrains.

the class Vertex method certToString.

/**
     * Return string representation of this vertex's
     * certificate information.
     *
     * @returns String representation of certificate info
     */
public String certToString() {
    StringBuilder sb = new StringBuilder();
    X509CertImpl x509Cert = null;
    try {
        x509Cert = X509CertImpl.toImpl(cert);
    } catch (CertificateException ce) {
        if (debug != null) {
            debug.println("Vertex.certToString() unexpected exception");
            ce.printStackTrace();
        }
        return sb.toString();
    }
    sb.append("Issuer:     ").append(x509Cert.getIssuerX500Principal()).append("\n");
    sb.append("Subject:    ").append(x509Cert.getSubjectX500Principal()).append("\n");
    sb.append("SerialNum:  ").append(x509Cert.getSerialNumber().toString(16)).append("\n");
    sb.append("Expires:    ").append(x509Cert.getNotAfter().toString()).append("\n");
    boolean[] iUID = x509Cert.getIssuerUniqueID();
    if (iUID != null) {
        sb.append("IssuerUID:  ");
        for (boolean b : iUID) {
            sb.append(b ? 1 : 0);
        }
        sb.append("\n");
    }
    boolean[] sUID = x509Cert.getSubjectUniqueID();
    if (sUID != null) {
        sb.append("SubjectUID: ");
        for (boolean b : sUID) {
            sb.append(b ? 1 : 0);
        }
        sb.append("\n");
    }
    try {
        SubjectKeyIdentifierExtension sKeyID = x509Cert.getSubjectKeyIdentifierExtension();
        if (sKeyID != null) {
            KeyIdentifier keyID = sKeyID.get(SubjectKeyIdentifierExtension.KEY_ID);
            sb.append("SubjKeyID:  ").append(keyID.toString());
        }
        AuthorityKeyIdentifierExtension aKeyID = x509Cert.getAuthorityKeyIdentifierExtension();
        if (aKeyID != null) {
            KeyIdentifier keyID = (KeyIdentifier) aKeyID.get(AuthorityKeyIdentifierExtension.KEY_ID);
            sb.append("AuthKeyID:  ").append(keyID.toString());
        }
    } catch (IOException e) {
        if (debug != null) {
            debug.println("Vertex.certToString() unexpected exception");
            e.printStackTrace();
        }
    }
    return sb.toString();
}

Example 7 with AuthorityKeyIdentifierExtension

use of org.mozilla.jss.netscape.security.x509.AuthorityKeyIdentifierExtension in project Bytecoder by mirkosertic.

the class Vertex method certToString.

/**
 * Return string representation of this vertex's
 * certificate information.
 *
 * @return String representation of certificate info
 */
public String certToString() {
    StringBuilder sb = new StringBuilder();
    X509CertImpl x509Cert = null;
    try {
        x509Cert = X509CertImpl.toImpl(cert);
    } catch (CertificateException ce) {
        if (debug != null) {
            debug.println("Vertex.certToString() unexpected exception");
            ce.printStackTrace();
        }
        return sb.toString();
    }
    sb.append("Issuer:     ").append(x509Cert.getIssuerX500Principal()).append("\n");
    sb.append("Subject:    ").append(x509Cert.getSubjectX500Principal()).append("\n");
    sb.append("SerialNum:  ").append(x509Cert.getSerialNumber().toString(16)).append("\n");
    sb.append("Expires:    ").append(x509Cert.getNotAfter().toString()).append("\n");
    boolean[] iUID = x509Cert.getIssuerUniqueID();
    if (iUID != null) {
        sb.append("IssuerUID:  ");
        for (boolean b : iUID) {
            sb.append(b ? 1 : 0);
        }
        sb.append("\n");
    }
    boolean[] sUID = x509Cert.getSubjectUniqueID();
    if (sUID != null) {
        sb.append("SubjectUID: ");
        for (boolean b : sUID) {
            sb.append(b ? 1 : 0);
        }
        sb.append("\n");
    }
    try {
        SubjectKeyIdentifierExtension sKeyID = x509Cert.getSubjectKeyIdentifierExtension();
        if (sKeyID != null) {
            KeyIdentifier keyID = sKeyID.get(SubjectKeyIdentifierExtension.KEY_ID);
            sb.append("SubjKeyID:  ").append(keyID.toString());
        }
        AuthorityKeyIdentifierExtension aKeyID = x509Cert.getAuthorityKeyIdentifierExtension();
        if (aKeyID != null) {
            KeyIdentifier keyID = (KeyIdentifier) aKeyID.get(AuthorityKeyIdentifierExtension.KEY_ID);
            sb.append("AuthKeyID:  ").append(keyID.toString());
        }
    } catch (IOException e) {
        if (debug != null) {
            debug.println("Vertex.certToString() unexpected exception");
            e.printStackTrace();
        }
    }
    return sb.toString();
}

Example 8 with AuthorityKeyIdentifierExtension

use of org.mozilla.jss.netscape.security.x509.AuthorityKeyIdentifierExtension in project candlepin by candlepin.

the class JSSPKIUtility method buildAuthorityKeyIdentifier.

/**
 * Calculate the KeyIdentifier for an RSAPublicKey and place it in an AuthorityKeyIdentifier extension.
 *
 * Java encodes RSA public keys using the SubjectPublicKeyInfo type described in RFC 5280.
 * <pre>
 * SubjectPublicKeyInfo  ::=  SEQUENCE  {
 *   algorithm            AlgorithmIdentifier,
 *   subjectPublicKey     BIT STRING  }
 *
 * AlgorithmIdentifier  ::=  SEQUENCE  {
 *   algorithm               OBJECT IDENTIFIER,
 *   parameters              ANY DEFINED BY algorithm OPTIONAL  }
 * </pre>
 *
 * A KeyIdentifier is a SHA-1 digest of the subjectPublicKey bit string from the ASN.1 above.
 *
 * @param key the RSAPublicKey to use
 * @return an AuthorityKeyIdentifierExtension based on the key
 * @throws IOException if we can't construct a MessageDigest object.
 */
public static AuthorityKeyIdentifierExtension buildAuthorityKeyIdentifier(RSAPublicKey key) throws IOException {
    try {
        MessageDigest d = MessageDigest.getInstance("SHA-1");
        byte[] encodedKey = key.getEncoded();
        DerInputStream s = new DerValue(encodedKey).toDerInputStream();
        // Skip the first item in the sequence, AlgorithmIdentifier.
        // The parameter, startLen, is required for skipSequence although it's unused.
        s.skipSequence(0);
        // Get the key's bit string
        BitArray b = s.getUnalignedBitString();
        byte[] digest = d.digest(b.toByteArray());
        KeyIdentifier ki = new KeyIdentifier(digest);
        return new AuthorityKeyIdentifierExtension(ki, null, null);
    } catch (NoSuchAlgorithmException e) {
        throw new IOException("Could not find SHA1 implementation", e);
    }
}

Example 9 with AuthorityKeyIdentifierExtension

use of org.mozilla.jss.netscape.security.x509.AuthorityKeyIdentifierExtension in project candlepin by candlepin.

the class JSSPKIUtility method buildAuthorityKeyIdentifier.

public static AuthorityKeyIdentifierExtension buildAuthorityKeyIdentifier(X509Certificate caCert) throws InvalidBERException, IOException {
    // The subject key identifier of the CA becomes the Authority Key Identifer of the CRL.
    byte[] extValue = caCert.getExtensionValue(PKIXExtensions.SubjectKey_Id.toString());
    /* The getExtensionValue returns us the Extension extnValue element which is an octet string.  For
         * the SubjectKeyIdentifier extension the extnValue only contains a KeyIdentifier.  The actual
         * KeyIdentifier is also an octet string.  The extnValue for the SubjectKeyIdentifier
         * is therefore ultimately an octet string of an octet string.  See Appendix A of RFC 5280. */
    OCTET_STRING extOctets = (OCTET_STRING) ASN1Util.decode(new OCTET_STRING.Template(), extValue);
    OCTET_STRING ski = (OCTET_STRING) ASN1Util.decode(new OCTET_STRING.Template(), extOctets.toByteArray());
    if (ski == null) {
        /* If the SubjectPublicKey extension isn't available, we can calculate the value ourselves
             * from the certificate's public key. */
        return buildAuthorityKeyIdentifier(caCert.getPublicKey());
    }
    /* RFC 5280 section 4.2.1.1 is a bit odd.  It states the AuthorityKeyIdentifier MAY contain
         * a KeyIdentifier or the issuer name and CertificateSerialNumber.  The KeyIdentifier is mandatory for
         * non-self-signed certificates, but there is no additional guidance about when or why one should
         * provide the issuer name or CertificateSerialNumber.  I've found at least one place,
         * https://www.v13.gr/blog/?p=293, that explicitly recommends against giving them.  Also,
         * the semantics around the issuer field in this extension can be very confusing
         * (see https://www.openssl.org/docs/faq.html#USER14).  Our old crypto code that used BouncyCastle
         * did include the issuer and serial number along with the key identifier, but I think it's best if
         * we leave it out.
         */
    KeyIdentifier ki = new KeyIdentifier(ski.toByteArray());
    return new AuthorityKeyIdentifierExtension(ki, null, null);
}

Example 10 with AuthorityKeyIdentifierExtension

use of org.mozilla.jss.netscape.security.x509.AuthorityKeyIdentifierExtension in project j2objc by google.

the class ForwardBuilder method getMatchingCACerts.

/**
 * Retrieves all CA certificates which satisfy constraints
 * and requirements specified in the parameters and PKIX state.
 */
private void getMatchingCACerts(ForwardState currentState, List<CertStore> certStores, Collection<X509Certificate> caCerts) throws IOException {
    if (debug != null) {
        debug.println("ForwardBuilder.getMatchingCACerts()...");
    }
    int initialSize = caCerts.size();
    /*
         * Compose a CertSelector to filter out
         * certs which do not satisfy requirements.
         */
    X509CertSelector sel = null;
    if (currentState.isInitial()) {
        if (targetCertConstraints.getBasicConstraints() == -2) {
            // no need to continue: this means we never can match a CA cert
            return;
        }
        /* This means a CA is the target, so match on same stuff as
             * getMatchingEECerts
             */
        if (debug != null) {
            debug.println("ForwardBuilder.getMatchingCACerts(): ca is target");
        }
        if (caTargetSelector == null) {
            caTargetSelector = (X509CertSelector) targetCertConstraints.clone();
            /*
                 * Policy processing optimizations
                 */
            if (buildParams.explicitPolicyRequired())
                caTargetSelector.setPolicy(getMatchingPolicies());
        }
        sel = caTargetSelector;
    } else {
        if (caSelector == null) {
            caSelector = new AdaptableX509CertSelector();
            /*
                 * Policy processing optimizations
                 */
            if (buildParams.explicitPolicyRequired())
                caSelector.setPolicy(getMatchingPolicies());
        }
        /*
             * Match on subject (issuer of previous cert)
             */
        caSelector.setSubject(currentState.issuerDN);
        /*
             * Match on subjectNamesTraversed (both DNs and AltNames)
             * (checks that current cert's name constraints permit it
             * to certify all the DNs and AltNames that have been traversed)
             */
        CertPathHelper.setPathToNames(caSelector, currentState.subjectNamesTraversed);
        /*
             * Facilitate certification path construction with authority
             * key identifier and subject key identifier.
             */
        AuthorityKeyIdentifierExtension akidext = currentState.cert.getAuthorityKeyIdentifierExtension();
        caSelector.parseAuthorityKeyIdentifierExtension(akidext);
        /*
             * check the validity period
             */
        caSelector.setValidityPeriod(currentState.cert.getNotBefore(), currentState.cert.getNotAfter());
        sel = caSelector;
    }
    /*
         * For compatibility, conservatively, we don't check the path
         * length constraint of trusted anchors.  Please don't set the
         * basic constraints criterion unless the trusted certificate
         * matching is completed.
         */
    sel.setBasicConstraints(-1);
    for (X509Certificate trustedCert : trustedCerts) {
        if (sel.match(trustedCert)) {
            if (debug != null) {
                debug.println("ForwardBuilder.getMatchingCACerts: " + "found matching trust anchor");
            }
            if (caCerts.add(trustedCert) && !searchAllCertStores) {
                return;
            }
        }
    }
    /*
         * The trusted certificate matching is completed. We need to match
         * on certificate validity date.
         */
    sel.setCertificateValid(buildParams.date());
    /*
         * Require CA certs with a pathLenConstraint that allows
         * at least as many CA certs that have already been traversed
         */
    sel.setBasicConstraints(currentState.traversedCACerts);
    /*
         * If we have already traversed as many CA certs as the maxPathLength
         * will allow us to, then we don't bother looking through these
         * certificate pairs. If maxPathLength has a value of -1, this
         * means it is unconstrained, so we always look through the
         * certificate pairs.
         */
    if (currentState.isInitial() || (buildParams.maxPathLength() == -1) || (buildParams.maxPathLength() > currentState.traversedCACerts)) {
        if (addMatchingCerts(sel, certStores, caCerts, searchAllCertStores) && !searchAllCertStores) {
            return;
        }
    }
    if (!currentState.isInitial() && Builder.USE_AIA) {
        // check for AuthorityInformationAccess extension
        AuthorityInfoAccessExtension aiaExt = currentState.cert.getAuthorityInfoAccessExtension();
        if (aiaExt != null) {
            getCerts(aiaExt, caCerts);
        }
    }
    if (debug != null) {
        int numCerts = caCerts.size() - initialSize;
        debug.println("ForwardBuilder.getMatchingCACerts: found " + numCerts + " CA certs");
    }
}