use of org.openecard.bouncycastle.asn1.x509.Certificate in project airavata by apache.
the class X509SecurityContext method generateShortLivedCredential.
public KeyAndCertCredential generateShortLivedCredential(String userDN, String caCertPath, String caKeyPath, String caPwd) throws Exception {
// 15 minutes
final long CredentialGoodFromOffset = 1000L * 60L * 15L;
// ago
final long startTime = System.currentTimeMillis() - CredentialGoodFromOffset;
final long endTime = startTime + 30 * 3600 * 1000;
String keyLengthProp = "1024";
int keyLength = Integer.parseInt(keyLengthProp);
String signatureAlgorithm = "SHA1withRSA";
KeyAndCertCredential caCred = getCACredential(caCertPath, caKeyPath, caPwd);
KeyPairGenerator kpg = KeyPairGenerator.getInstance(caCred.getKey().getAlgorithm());
kpg.initialize(keyLength);
KeyPair pair = kpg.generateKeyPair();
X500Principal subjectDN = new X500Principal(userDN);
Random rand = new Random();
SubjectPublicKeyInfo publicKeyInfo;
try {
publicKeyInfo = SubjectPublicKeyInfo.getInstance(new ASN1InputStream(pair.getPublic().getEncoded()).readObject());
} catch (IOException e) {
throw new InvalidKeyException("Can not parse the public key" + "being included in the short lived certificate", e);
}
X500Name issuerX500Name = CertificateHelpers.toX500Name(caCred.getCertificate().getSubjectX500Principal());
X500Name subjectX500Name = CertificateHelpers.toX500Name(subjectDN);
X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(issuerX500Name, new BigInteger(20, rand), new Date(startTime), new Date(endTime), subjectX500Name, publicKeyInfo);
AlgorithmIdentifier sigAlgId = X509v3CertificateBuilder.extractAlgorithmId(caCred.getCertificate());
X509Certificate certificate = certBuilder.build(caCred.getKey(), sigAlgId, signatureAlgorithm, null, null);
certificate.checkValidity(new Date());
certificate.verify(caCred.getCertificate().getPublicKey());
KeyAndCertCredential result = new KeyAndCertCredential(pair.getPrivate(), new X509Certificate[] { certificate, caCred.getCertificate() });
return result;
}
use of org.openecard.bouncycastle.asn1.x509.Certificate in project xipki by xipki.
the class OcspCertStoreFromCaDbImporter method importCert0.
// method importCert
private long importCert0(HashAlgo certhashAlgo, PreparedStatement psCert, String certsZipFile, Map<Integer, String> profileMap, boolean revokedOnly, List<Integer> caIds, long minId, File processLogFile, ProcessLog processLog, int numProcessedInLastProcess, ProcessLog importLog) throws Exception {
ZipFile zipFile = new ZipFile(new File(certsZipFile));
ZipEntry certsXmlEntry = zipFile.getEntry("overview.xml");
CertsReader certs;
try {
certs = new CertsReader(zipFile.getInputStream(certsXmlEntry));
} catch (Exception ex) {
try {
zipFile.close();
} catch (Exception ex2) {
LOG.error("could not close ZIP file {}: {}", certsZipFile, ex2.getMessage());
LOG.debug("could not close ZIP file " + certsZipFile, ex2);
}
throw ex;
}
disableAutoCommit();
try {
int numProcessedEntriesInBatch = 0;
int numImportedEntriesInBatch = 0;
long lastSuccessfulCertId = 0;
while (certs.hasNext()) {
if (stopMe.get()) {
throw new InterruptedException("interrupted by the user");
}
CertType cert = (CertType) certs.next();
long id = cert.getId();
lastSuccessfulCertId = id;
if (id < minId) {
continue;
}
numProcessedEntriesInBatch++;
if (!revokedOnly || cert.getRev().booleanValue()) {
int caId = cert.getCaId();
if (caIds.contains(caId)) {
numImportedEntriesInBatch++;
String filename = cert.getFile();
// rawcert
ZipEntry certZipEnty = zipFile.getEntry(filename);
// rawcert
byte[] encodedCert = IoUtil.read(zipFile.getInputStream(certZipEnty));
String certhash = certhashAlgo.base64Hash(encodedCert);
TBSCertificate tbsCert;
try {
Certificate cc = Certificate.getInstance(encodedCert);
tbsCert = cc.getTBSCertificate();
} catch (RuntimeException ex) {
LOG.error("could not parse certificate in file {}", filename);
LOG.debug("could not parse certificate in file " + filename, ex);
throw new CertificateException(ex.getMessage(), ex);
}
String subject = X509Util.cutX500Name(tbsCert.getSubject(), maxX500nameLen);
// cert
try {
int idx = 1;
psCert.setLong(idx++, id);
psCert.setInt(idx++, caId);
psCert.setString(idx++, tbsCert.getSerialNumber().getPositiveValue().toString(16));
psCert.setLong(idx++, cert.getUpdate());
psCert.setLong(idx++, tbsCert.getStartDate().getDate().getTime() / 1000);
psCert.setLong(idx++, tbsCert.getEndDate().getDate().getTime() / 1000);
setBoolean(psCert, idx++, cert.getRev());
setInt(psCert, idx++, cert.getRr());
setLong(psCert, idx++, cert.getRt());
setLong(psCert, idx++, cert.getRit());
int certprofileId = cert.getPid();
String certprofileName = profileMap.get(certprofileId);
psCert.setString(idx++, certprofileName);
psCert.setString(idx++, certhash);
psCert.setString(idx++, subject);
psCert.addBatch();
} catch (SQLException ex) {
throw translate(SQL_ADD_CERT, ex);
}
}
// end if (caIds.contains(caId))
}
// end if (revokedOnly
boolean isLastBlock = !certs.hasNext();
if (numImportedEntriesInBatch > 0 && (numImportedEntriesInBatch % this.numCertsPerCommit == 0 || isLastBlock)) {
if (evaulateOnly) {
psCert.clearBatch();
} else {
try {
psCert.executeBatch();
commit("(commit import cert to OCSP)");
} catch (Throwable th) {
rollback();
deleteCertGreatherThan(lastSuccessfulCertId, LOG);
if (th instanceof SQLException) {
throw translate(SQL_ADD_CERT, (SQLException) th);
} else if (th instanceof Exception) {
throw (Exception) th;
} else {
throw new Exception(th);
}
}
}
lastSuccessfulCertId = id;
processLog.addNumProcessed(numProcessedEntriesInBatch);
importLog.addNumProcessed(numImportedEntriesInBatch);
numProcessedEntriesInBatch = 0;
numImportedEntriesInBatch = 0;
String filename = (numProcessedInLastProcess + processLog.numProcessed()) + ":" + lastSuccessfulCertId;
echoToFile(filename, processLogFile);
processLog.printStatus();
} else if (isLastBlock) {
lastSuccessfulCertId = id;
processLog.addNumProcessed(numProcessedEntriesInBatch);
importLog.addNumProcessed(numImportedEntriesInBatch);
numProcessedEntriesInBatch = 0;
numImportedEntriesInBatch = 0;
String filename = (numProcessedInLastProcess + processLog.numProcessed()) + ":" + lastSuccessfulCertId;
echoToFile(filename, processLogFile);
processLog.printStatus();
}
// if (numImportedEntriesInBatch)
}
return lastSuccessfulCertId;
} finally {
recoverAutoCommit();
zipFile.close();
}
}
use of org.openecard.bouncycastle.asn1.x509.Certificate in project xipki by xipki.
the class CaCertStoreDbImporter method importEntries.
private long importEntries(CaDbEntryType type, String entriesZipFile, long minId, File processLogFile, ProcessLog processLog, int numProcessedInLastProcess, PreparedStatement[] statements, String[] sqls) throws Exception {
final int numEntriesPerCommit = Math.max(1, Math.round(type.getSqlBatchFactor() * numCertsPerCommit));
ZipFile zipFile = new ZipFile(new File(entriesZipFile));
ZipEntry entriesXmlEntry = zipFile.getEntry("overview.xml");
DbiXmlReader entries;
try {
entries = createReader(type, zipFile.getInputStream(entriesXmlEntry));
} catch (Exception ex) {
try {
zipFile.close();
} catch (Exception e2) {
LOG.error("could not close ZIP file {}: {}", entriesZipFile, e2.getMessage());
LOG.debug("could not close ZIP file " + entriesZipFile, e2);
}
throw ex;
}
disableAutoCommit();
try {
int numEntriesInBatch = 0;
long lastSuccessfulEntryId = 0;
while (entries.hasNext()) {
if (stopMe.get()) {
throw new InterruptedException("interrupted by the user");
}
IdentifidDbObjectType entry = (IdentifidDbObjectType) entries.next();
long id = entry.getId();
if (id < minId) {
continue;
}
numEntriesInBatch++;
if (CaDbEntryType.CERT == type) {
CertType cert = (CertType) entry;
int certArt = (cert.getArt() == null) ? 1 : cert.getArt();
String filename = cert.getFile();
// rawcert
ZipEntry certZipEnty = zipFile.getEntry(filename);
// rawcert
byte[] encodedCert = IoUtil.read(zipFile.getInputStream(certZipEnty));
TBSCertificate tbsCert;
try {
Certificate cc = Certificate.getInstance(encodedCert);
tbsCert = cc.getTBSCertificate();
} catch (RuntimeException ex) {
LOG.error("could not parse certificate in file {}", filename);
LOG.debug("could not parse certificate in file " + filename, ex);
throw new CertificateException(ex.getMessage(), ex);
}
byte[] encodedKey = tbsCert.getSubjectPublicKeyInfo().getPublicKeyData().getBytes();
String b64Sha1FpCert = HashAlgo.SHA1.base64Hash(encodedCert);
// cert
String subjectText = X509Util.cutX500Name(tbsCert.getSubject(), maxX500nameLen);
PreparedStatement psCert = statements[0];
PreparedStatement psRawcert = statements[1];
try {
int idx = 1;
psCert.setLong(idx++, id);
psCert.setInt(idx++, certArt);
psCert.setLong(idx++, cert.getUpdate());
psCert.setString(idx++, tbsCert.getSerialNumber().getPositiveValue().toString(16));
psCert.setString(idx++, subjectText);
long fpSubject = X509Util.fpCanonicalizedName(tbsCert.getSubject());
psCert.setLong(idx++, fpSubject);
if (cert.getFpRs() != null) {
psCert.setLong(idx++, cert.getFpRs());
} else {
psCert.setNull(idx++, Types.BIGINT);
}
psCert.setLong(idx++, tbsCert.getStartDate().getDate().getTime() / 1000);
psCert.setLong(idx++, tbsCert.getEndDate().getDate().getTime() / 1000);
setBoolean(psCert, idx++, cert.getRev());
setInt(psCert, idx++, cert.getRr());
setLong(psCert, idx++, cert.getRt());
setLong(psCert, idx++, cert.getRit());
setInt(psCert, idx++, cert.getPid());
setInt(psCert, idx++, cert.getCaId());
setInt(psCert, idx++, cert.getRid());
setInt(psCert, idx++, cert.getUid());
psCert.setLong(idx++, FpIdCalculator.hash(encodedKey));
Extension extension = tbsCert.getExtensions().getExtension(Extension.basicConstraints);
boolean ee = true;
if (extension != null) {
ASN1Encodable asn1 = extension.getParsedValue();
ee = !BasicConstraints.getInstance(asn1).isCA();
}
psCert.setInt(idx++, ee ? 1 : 0);
psCert.setInt(idx++, cert.getReqType());
String tidS = null;
if (cert.getTid() != null) {
tidS = cert.getTid();
}
psCert.setString(idx++, tidS);
psCert.addBatch();
} catch (SQLException ex) {
throw translate(SQL_ADD_CERT, ex);
}
try {
int idx = 1;
psRawcert.setLong(idx++, cert.getId());
psRawcert.setString(idx++, b64Sha1FpCert);
psRawcert.setString(idx++, cert.getRs());
psRawcert.setString(idx++, Base64.encodeToString(encodedCert));
psRawcert.addBatch();
} catch (SQLException ex) {
throw translate(SQL_ADD_CRAW, ex);
}
} else if (CaDbEntryType.CRL == type) {
PreparedStatement psAddCrl = statements[0];
CrlType crl = (CrlType) entry;
String filename = crl.getFile();
// CRL
ZipEntry zipEnty = zipFile.getEntry(filename);
// rawcert
byte[] encodedCrl = IoUtil.read(zipFile.getInputStream(zipEnty));
X509CRL x509crl = null;
try {
x509crl = X509Util.parseCrl(encodedCrl);
} catch (Exception ex) {
LOG.error("could not parse CRL in file {}", filename);
LOG.debug("could not parse CRL in file " + filename, ex);
if (ex instanceof CRLException) {
throw (CRLException) ex;
} else {
throw new CRLException(ex.getMessage(), ex);
}
}
try {
byte[] octetString = x509crl.getExtensionValue(Extension.cRLNumber.getId());
if (octetString == null) {
LOG.warn("CRL without CRL number, ignore it");
continue;
}
byte[] extnValue = DEROctetString.getInstance(octetString).getOctets();
// CHECKSTYLE:SKIP
BigInteger crlNumber = ASN1Integer.getInstance(extnValue).getPositiveValue();
BigInteger baseCrlNumber = null;
octetString = x509crl.getExtensionValue(Extension.deltaCRLIndicator.getId());
if (octetString != null) {
extnValue = DEROctetString.getInstance(octetString).getOctets();
baseCrlNumber = ASN1Integer.getInstance(extnValue).getPositiveValue();
}
int idx = 1;
psAddCrl.setLong(idx++, crl.getId());
psAddCrl.setInt(idx++, crl.getCaId());
psAddCrl.setLong(idx++, crlNumber.longValue());
psAddCrl.setLong(idx++, x509crl.getThisUpdate().getTime() / 1000);
if (x509crl.getNextUpdate() != null) {
psAddCrl.setLong(idx++, x509crl.getNextUpdate().getTime() / 1000);
} else {
psAddCrl.setNull(idx++, Types.INTEGER);
}
if (baseCrlNumber == null) {
setBoolean(psAddCrl, idx++, false);
psAddCrl.setNull(idx++, Types.BIGINT);
} else {
setBoolean(psAddCrl, idx++, true);
psAddCrl.setLong(idx++, baseCrlNumber.longValue());
}
String str = Base64.encodeToString(encodedCrl);
psAddCrl.setString(idx++, str);
psAddCrl.addBatch();
} catch (SQLException ex) {
System.err.println("could not import CRL with ID=" + crl.getId() + ", message: " + ex.getMessage());
throw ex;
}
} else if (CaDbEntryType.REQUEST == type) {
PreparedStatement psAddRequest = statements[0];
RequestType request = (RequestType) entry;
String filename = request.getFile();
ZipEntry zipEnty = zipFile.getEntry(filename);
byte[] encodedRequest = IoUtil.read(zipFile.getInputStream(zipEnty));
try {
int idx = 1;
psAddRequest.setLong(idx++, request.getId());
psAddRequest.setLong(idx++, request.getUpdate());
psAddRequest.setString(idx++, Base64.encodeToString(encodedRequest));
psAddRequest.addBatch();
} catch (SQLException ex) {
System.err.println("could not import REQUEST with ID=" + request.getId() + ", message: " + ex.getMessage());
throw ex;
}
} else if (CaDbEntryType.REQCERT == type) {
PreparedStatement psAddReqCert = statements[0];
RequestCertType reqCert = (RequestCertType) entry;
try {
int idx = 1;
psAddReqCert.setLong(idx++, reqCert.getId());
psAddReqCert.setLong(idx++, reqCert.getRid());
psAddReqCert.setLong(idx++, reqCert.getCid());
psAddReqCert.addBatch();
} catch (SQLException ex) {
System.err.println("could not import REQUEST with ID=" + reqCert.getId() + ", message: " + ex.getMessage());
throw ex;
}
} else {
throw new RuntimeException("Unknown CaDbEntryType " + type);
}
boolean isLastBlock = !entries.hasNext();
if (numEntriesInBatch > 0 && (numEntriesInBatch % numEntriesPerCommit == 0 || isLastBlock)) {
if (evaulateOnly) {
for (PreparedStatement m : statements) {
m.clearBatch();
}
} else {
String sql = null;
try {
for (int i = 0; i < sqls.length; i++) {
sql = sqls[i];
statements[i].executeBatch();
}
sql = null;
commit("(commit import to CA)");
} catch (Throwable th) {
rollback();
deleteFromTableWithLargerId(type.getTableName(), "ID", id, LOG);
if (CaDbEntryType.CERT == type) {
deleteFromTableWithLargerId("CRAW", "CID", id, LOG);
}
if (th instanceof SQLException) {
throw translate(sql, (SQLException) th);
} else if (th instanceof Exception) {
throw (Exception) th;
} else {
throw new Exception(th);
}
}
}
lastSuccessfulEntryId = id;
processLog.addNumProcessed(numEntriesInBatch);
numEntriesInBatch = 0;
echoToFile(type + ":" + (numProcessedInLastProcess + processLog.numProcessed()) + ":" + lastSuccessfulEntryId, processLogFile);
processLog.printStatus();
}
}
return lastSuccessfulEntryId;
} finally {
recoverAutoCommit();
zipFile.close();
}
}
use of org.openecard.bouncycastle.asn1.x509.Certificate in project xipki by xipki.
the class OcspCertStoreDbImporter method importIssuer0.
private void importIssuer0(IssuerType issuer, PreparedStatement ps) throws DataAccessException, CertificateException, IOException {
try {
String certFilename = issuer.getCertFile();
String b64Cert = new String(IoUtil.read(new File(baseDir, certFilename)));
byte[] encodedCert = Base64.decode(b64Cert);
Certificate cert;
try {
cert = Certificate.getInstance(encodedCert);
} catch (RuntimeException ex) {
LOG.error("could not parse certificate of issuer {}", issuer.getId());
LOG.debug("could not parse certificate of issuer " + issuer.getId(), ex);
throw new CertificateException(ex.getMessage(), ex);
}
int idx = 1;
ps.setInt(idx++, issuer.getId());
ps.setString(idx++, X509Util.cutX500Name(cert.getSubject(), maxX500nameLen));
ps.setLong(idx++, cert.getTBSCertificate().getStartDate().getDate().getTime() / 1000);
ps.setLong(idx++, cert.getTBSCertificate().getEndDate().getDate().getTime() / 1000);
ps.setString(idx++, sha1(encodedCert));
setBoolean(ps, idx++, issuer.isRevoked());
setInt(ps, idx++, issuer.getRevReason());
setLong(ps, idx++, issuer.getRevTime());
setLong(ps, idx++, issuer.getRevInvTime());
ps.setString(idx++, b64Cert);
ps.execute();
} catch (SQLException ex) {
System.err.println("could not import issuer with id=" + issuer.getId());
throw translate(SQL_ADD_ISSUER, ex);
} catch (CertificateException ex) {
System.err.println("could not import issuer with id=" + issuer.getId());
throw ex;
}
}
use of org.openecard.bouncycastle.asn1.x509.Certificate in project xipki by xipki.
the class OcspStatusCmd method processResponse.
@Override
protected Object processResponse(OCSPResp response, X509Certificate respIssuer, IssuerHash issuerHash, List<BigInteger> serialNumbers, Map<BigInteger, byte[]> encodedCerts) throws Exception {
ParamUtil.requireNonNull("response", response);
ParamUtil.requireNonNull("issuerHash", issuerHash);
ParamUtil.requireNonNull("serialNumbers", serialNumbers);
BasicOCSPResp basicResp = OcspUtils.extractBasicOcspResp(response);
boolean extendedRevoke = basicResp.getExtension(ObjectIdentifiers.id_pkix_ocsp_extendedRevoke) != null;
SingleResp[] singleResponses = basicResp.getResponses();
if (singleResponses == null || singleResponses.length == 0) {
throw new CmdFailure("received no status from server");
}
final int n = singleResponses.length;
if (n != serialNumbers.size()) {
throw new CmdFailure("received status with " + n + " single responses from server, but " + serialNumbers.size() + " were requested");
}
Date[] thisUpdates = new Date[n];
for (int i = 0; i < n; i++) {
thisUpdates[i] = singleResponses[i].getThisUpdate();
}
// check the signature if available
if (null == basicResp.getSignature()) {
println("response is not signed");
} else {
X509CertificateHolder[] responderCerts = basicResp.getCerts();
if (responderCerts == null || responderCerts.length < 1) {
throw new CmdFailure("no responder certificate is contained in the response");
}
ResponderID respId = basicResp.getResponderId().toASN1Primitive();
X500Name respIdByName = respId.getName();
byte[] respIdByKey = respId.getKeyHash();
X509CertificateHolder respSigner = null;
for (X509CertificateHolder cert : responderCerts) {
if (respIdByName != null) {
if (cert.getSubject().equals(respIdByName)) {
respSigner = cert;
}
} else {
byte[] spkiSha1 = HashAlgo.SHA1.hash(cert.getSubjectPublicKeyInfo().getPublicKeyData().getBytes());
if (Arrays.equals(respIdByKey, spkiSha1)) {
respSigner = cert;
}
}
if (respSigner != null) {
break;
}
}
if (respSigner == null) {
throw new CmdFailure("no responder certificate match the ResponderId");
}
boolean validOn = true;
for (Date thisUpdate : thisUpdates) {
validOn = respSigner.isValidOn(thisUpdate);
if (!validOn) {
throw new CmdFailure("responder certificate is not valid on " + thisUpdate);
}
}
if (validOn) {
PublicKey responderPubKey = KeyUtil.generatePublicKey(respSigner.getSubjectPublicKeyInfo());
ContentVerifierProvider cvp = securityFactory.getContentVerifierProvider(responderPubKey);
boolean sigValid = basicResp.isSignatureValid(cvp);
if (!sigValid) {
throw new CmdFailure("response is equipped with invalid signature");
}
// verify the OCSPResponse signer
if (respIssuer != null) {
boolean certValid = true;
X509Certificate jceRespSigner = X509Util.toX509Cert(respSigner.toASN1Structure());
if (X509Util.issues(respIssuer, jceRespSigner)) {
try {
jceRespSigner.verify(respIssuer.getPublicKey());
} catch (SignatureException ex) {
certValid = false;
}
}
if (!certValid) {
throw new CmdFailure("response is equipped with valid signature but the" + " OCSP signer is not trusted");
}
} else {
println("response is equipped with valid signature");
}
// end if(respIssuer)
}
if (verbose.booleanValue()) {
println("responder is " + X509Util.getRfc4519Name(responderCerts[0].getSubject()));
}
}
for (int i = 0; i < n; i++) {
if (n > 1) {
println("---------------------------- " + i + "----------------------------");
}
SingleResp singleResp = singleResponses[i];
CertificateStatus singleCertStatus = singleResp.getCertStatus();
String status;
if (singleCertStatus == null) {
status = "good";
} else if (singleCertStatus instanceof RevokedStatus) {
RevokedStatus revStatus = (RevokedStatus) singleCertStatus;
Date revTime = revStatus.getRevocationTime();
Date invTime = null;
Extension ext = singleResp.getExtension(Extension.invalidityDate);
if (ext != null) {
invTime = ASN1GeneralizedTime.getInstance(ext.getParsedValue()).getDate();
}
if (revStatus.hasRevocationReason()) {
int reason = revStatus.getRevocationReason();
if (extendedRevoke && reason == CrlReason.CERTIFICATE_HOLD.getCode() && revTime.getTime() == 0) {
status = "unknown (RFC6960)";
} else {
status = StringUtil.concatObjects("revoked, reason = ", CrlReason.forReasonCode(reason).getDescription(), ", revocationTime = ", revTime, (invTime == null ? "" : ", invalidityTime = " + invTime));
}
} else {
status = "revoked, no reason, revocationTime = " + revTime;
}
} else if (singleCertStatus instanceof UnknownStatus) {
status = "unknown (RFC2560)";
} else {
status = "ERROR";
}
StringBuilder msg = new StringBuilder();
CertificateID certId = singleResp.getCertID();
HashAlgo hashAlgo = HashAlgo.getNonNullInstance(certId.getHashAlgOID());
boolean issuerMatch = issuerHash.match(hashAlgo, certId.getIssuerNameHash(), certId.getIssuerKeyHash());
BigInteger serialNumber = certId.getSerialNumber();
msg.append("issuer matched: ").append(issuerMatch);
msg.append("\nserialNumber: ").append(LogUtil.formatCsn(serialNumber));
msg.append("\nCertificate status: ").append(status);
if (verbose.booleanValue()) {
msg.append("\nthisUpdate: ").append(singleResp.getThisUpdate());
msg.append("\nnextUpdate: ").append(singleResp.getNextUpdate());
Extension extension = singleResp.getExtension(ISISMTTObjectIdentifiers.id_isismtt_at_certHash);
if (extension != null) {
msg.append("\nCertHash is provided:\n");
ASN1Encodable extensionValue = extension.getParsedValue();
CertHash certHash = CertHash.getInstance(extensionValue);
ASN1ObjectIdentifier hashAlgOid = certHash.getHashAlgorithm().getAlgorithm();
byte[] hashValue = certHash.getCertificateHash();
msg.append("\tHash algo : ").append(hashAlgOid.getId()).append("\n");
msg.append("\tHash value: ").append(Hex.encode(hashValue)).append("\n");
if (encodedCerts != null) {
byte[] encodedCert = encodedCerts.get(serialNumber);
MessageDigest md = MessageDigest.getInstance(hashAlgOid.getId());
byte[] expectedHashValue = md.digest(encodedCert);
if (Arrays.equals(expectedHashValue, hashValue)) {
msg.append("\tThis matches the requested certificate");
} else {
msg.append("\tThis differs from the requested certificate");
}
}
}
// end if (extension != null)
extension = singleResp.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_archive_cutoff);
if (extension != null) {
ASN1Encodable extensionValue = extension.getParsedValue();
ASN1GeneralizedTime time = ASN1GeneralizedTime.getInstance(extensionValue);
msg.append("\nArchive-CutOff: ");
msg.append(time.getTimeString());
}
AlgorithmIdentifier sigAlg = basicResp.getSignatureAlgorithmID();
if (sigAlg == null) {
msg.append(("\nresponse is not signed"));
} else {
String sigAlgName = AlgorithmUtil.getSignatureAlgoName(sigAlg);
if (sigAlgName == null) {
sigAlgName = "unknown";
}
msg.append("\nresponse is signed with ").append(sigAlgName);
}
// extensions
msg.append("\nExtensions: ");
List<?> extensionOids = basicResp.getExtensionOIDs();
if (extensionOids == null || extensionOids.size() == 0) {
msg.append("-");
} else {
int size = extensionOids.size();
for (int j = 0; j < size; j++) {
ASN1ObjectIdentifier extensionOid = (ASN1ObjectIdentifier) extensionOids.get(j);
String name = EXTENSION_OIDNAME_MAP.get(extensionOid);
if (name == null) {
msg.append(extensionOid.getId());
} else {
msg.append(name);
}
if (j != size - 1) {
msg.append(", ");
}
}
}
}
// end if (verbose.booleanValue())
println(msg.toString());
}
// end for
println("");
return null;
}
Aggregations