Package org.apache.commons.ssl.asn1

Examples of org.apache.commons.ssl.asn1.DERObject

1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
            DERObjectIdentifier id = DERObjectIdentifier.getInstance(seq.getObjectAt(0));
            if (id.getId().equals(CertTools.KRB5PRINCIPAL_OBJECTID)) {
              // Get the KRB5PrincipalName sequence
                ASN1TaggedObject oobj = (ASN1TaggedObject) seq.getObjectAt(1);
                // After encoding in a cert, it is tagged an extra time...
                DERObject obj = oobj.getObject();
                if (obj instanceof ASN1TaggedObject) {
                  obj = ASN1TaggedObject.getInstance(obj).getObject();
                }
                ASN1Sequence krb5Seq = ASN1Sequence.getInstance(obj);
                // Get the Realm tagged as 0
View Full Code Here
1696
1697
1698
1699
1700
1701
1702
1703
1704
            return getAltnameSequence(altName);
        }
        return null;
    }
    private static ASN1Sequence getAltnameSequence(byte[] value) throws IOException {
        DERObject oct = (new ASN1InputStream(new ByteArrayInputStream(value)).readObject());
        ASN1Sequence seq = ASN1Sequence.getInstance(oct);
        return seq;
    }
View Full Code Here
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
    String altName = null;
    //GeneralNames
    ASN1OctetString octs = ext.getValue();
    if (octs != null) {
      ASN1InputStream aIn = new ASN1InputStream(new ByteArrayInputStream(octs.getOctets()));
      DERObject obj;
      try {
        obj = aIn.readObject();
        GeneralNames gan = GeneralNames.getInstance(obj);
        GeneralName[] gns = gan.getNames();
        for (int i = 0; i < gns.length; i++) {
View Full Code Here
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
            while (iter.hasNext()) {
                ASN1EncodableVector v = new ASN1EncodableVector();
                v.add(new DERObjectIdentifier(CertTools.UPN_OBJECTID));
                v.add(new DERTaggedObject(true, 0, new DERUTF8String((String)iter.next())));
                //GeneralName gn = new GeneralName(new DERSequence(v), 0);
                DERObject gn = new DERTaggedObject(false, 0, new DERSequence(v));
                vec.add(gn);
            }
        }
       
       
        ArrayList<String> guid =  CertTools.getPartsFromDN(altName, CertTools.GUID);
        if (!guid.isEmpty()) {           
            Iterator<String> iter = guid.iterator();               
            while (iter.hasNext()) {                   
                ASN1EncodableVector v = new ASN1EncodableVector();
                byte[] guidbytes = Hex.decode((String)iter.next());
                if (guidbytes != null) {
                    v.add(new DERObjectIdentifier(CertTools.GUID_OBJECTID));
                    v.add(new DERTaggedObject(true, 0, new DEROctetString(guidbytes)));
                    DERObject gn = new DERTaggedObject(false, 0, new DERSequence(v));
                    vec.add(gn);                   
                } else {
                    log.error("Cannot decode hexadecimal guid: "+guid);
                }
            }
        }
       
        // Krb5PrincipalName is an OtherName, see method getKrb5Principal...for ASN.1 definition
        ArrayList<String> krb5principalname =  CertTools.getPartsFromDN(altName, CertTools.KRB5PRINCIPAL);
        if (!krb5principalname.isEmpty()) {           
            Iterator<String> iter = krb5principalname.iterator();            
            while (iter.hasNext()) {
              // Start by parsing the input string to separate it in different parts
                String principalString = (String)iter.next();
                if (log.isDebugEnabled()) {
                    log.debug("principalString: "+principalString);                 
                }
                // The realm is the last part moving back until an @
                int index = principalString.lastIndexOf('@');
                String realm = "";
                if (index > 0) {
                  realm = principalString.substring(index+1);
                }
                if (log.isDebugEnabled()) {
                    log.debug("realm: "+realm);                 
                }
                // Now we can have several principals separated by /
                ArrayList<String> principalarr = new ArrayList<String>();
                int jndex = 0;
              int bindex = 0;
                while (jndex < index) {
                  // Loop and add all strings separated by /
                    jndex = principalString.indexOf('/', bindex);
                  if (jndex == -1) {
                    jndex = index;
                  }
                  String s = principalString.substring(bindex, jndex);
                  if (log.isDebugEnabled()) {
                    log.debug("adding principal name: "+s);                 
                  }                 
                  principalarr.add(s);
                  bindex = jndex+1;
                }
               
                // Now we must construct the rather complex asn.1...
                ASN1EncodableVector v = new ASN1EncodableVector(); // this is the OtherName
                v.add(new DERObjectIdentifier(CertTools.KRB5PRINCIPAL_OBJECTID));

                // First the Krb5PrincipalName sequence
                ASN1EncodableVector krb5p = new ASN1EncodableVector();
                // The realm is the first tagged GeneralString
                krb5p.add(new DERTaggedObject(true, 0, new DERGeneralString(realm)));
                // Second is the sequence of principal names, which is at tagged position 1 in the krb5p
                ASN1EncodableVector principals = new ASN1EncodableVector();
                // According to rfc4210 the type NT-UNKNOWN is 0, and according to some other rfc this type should be used...
                principals.add(new DERTaggedObject(true, 0, new DERInteger(0)));
                // The names themselves are yet another sequence
                Iterator<String> i = principalarr.iterator();
                ASN1EncodableVector names = new ASN1EncodableVector();
                while (i.hasNext()) {
                    String principalName = (String)i.next();
                    names.add(new DERGeneralString(principalName));
                }
                principals.add(new DERTaggedObject(true, 1, new DERSequence(names)));                 
                krb5p.add(new DERTaggedObject(true, 1, new DERSequence(principals)));
               
                v.add(new DERTaggedObject(true, 0, new DERSequence(krb5p)));
                DERObject gn = new DERTaggedObject(false, 0, new DERSequence(v));
                vec.add(gn);
            }
        }

      // To support custom OIDs in altNames, they must be added as an OtherName of plain type UTF8String
        ArrayList<String> customoids =  CertTools.getCustomOids(altName);
        if (!customoids.isEmpty()) {           
          Iterator<String> iter = customoids.iterator();
          while (iter.hasNext()) {
            String oid = (String)iter.next();
            ArrayList<String> oidval =  CertTools.getPartsFromDN(altName, oid);
            if (!oidval.isEmpty()) {           
              Iterator<String> valiter = oidval.iterator();
              while (valiter.hasNext()) {
                ASN1EncodableVector v = new ASN1EncodableVector();
                v.add(new DERObjectIdentifier(oid));
                v.add(new DERTaggedObject(true, 0, new DERUTF8String((String)valiter.next())));
                DERObject gn = new DERTaggedObject(false, 0, new DERSequence(v));
                vec.add(gn);
              }
            }
          }
        }
View Full Code Here
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
    public static URL getCrlDistributionPoint(Certificate certificate)
      throws CertificateParsingException {
        if (certificate instanceof X509Certificate) {
      X509Certificate x509cert = (X509Certificate) certificate;
          try {
              DERObject obj = getExtensionValue(x509cert, X509Extensions
                                                .CRLDistributionPoints.getId());
              if (obj == null) {
                  return null;
              }
              ASN1Sequence distributionPoints = (ASN1Sequence) obj;
View Full Code Here
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
        throws CertificateParsingException {
      String ret = null;
      if (cert instanceof X509Certificate) {
        X509Certificate x509cert = (X509Certificate) cert;
        try {
          DERObject obj = getExtensionValue(x509cert, X509Extensions.AuthorityInfoAccess.getId());
          if (obj == null) {
            return null;
          }
          AuthorityInformationAccess aia = AuthorityInformationAccess.getInstance(obj);
          AccessDescription[] ad = aia.getAccessDescriptions();
View Full Code Here
153
154
155
156
157
158
159
160
161
162
163
    public void testNovosecRARequest() throws IOException, InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException, CertificateEncodingException, SignatureException, IllegalStateException {
      // Check that we can parse a request from  Novosec (patched by EJBCA).
      // Read an initialization request with RAVerifiedPOP and PBE protection to see that we can process it
      ASN1InputStream in = new ASN1InputStream(novosecrapopir);
      DERObject derObject = in.readObject();
      PKIMessage req = PKIMessage.getInstance(derObject);
      //log.info(req.toString());
      // Verify should be false if we do not allow RA verify POP here, since we don't have any normal POP
      CrmfRequestMessage msg = new CrmfRequestMessage(req, "CN=AdminCA1", false, "CN");
      assertFalse(msg.verify());
View Full Code Here
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
    public void testNovosecClientRequest() throws IOException, InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException, CertificateEncodingException, SignatureException, IllegalStateException {
      // Check that we can parse a request from  Novosec (patched by EJBCA).
      // Read an initialization request with a signature POP and signature protection to see that we can process it
      {
        ASN1InputStream in = new ASN1InputStream(novosecsigpopir);
        DERObject derObject = in.readObject();
        PKIMessage req = PKIMessage.getInstance(derObject);
        //log.info(req.toString());
        // Verify should be ok if we do not allow RA verify POP here
        CrmfRequestMessage msg = new CrmfRequestMessage(req, "CN=AdminCA1", false, "CN");
        assertTrue(msg.verify());
        // Since we don't have RA POP we can't test for that...
        assertEquals("CN=AdminCA1,O=EJBCA Sample,C=SE", msg.getIssuerDN());
        assertEquals("CN=abc123rry2942812801980668853,O=PrimeKey Solutions AB,C=SE", msg.getRequestDN());
        assertEquals("abc123rry2942812801980668853", msg.getUsername());
        assertEquals("foo123", msg.getPassword());
        // Verify signature protection
        AlgorithmIdentifier algId = msg.getMessage().getProtectedPart().getHeader().getProtectionAlg();
        String oid = algId.getObjectId().getId();
        assertEquals(PKCSObjectIdentifiers.sha1WithRSAEncryption.getId(), oid);
        // Check that this is an old message, created before ECA-2104, using null instead of DERNull as algorithm parameters.
        DEREncodable pp = algId.getParameters();
        assertNull(pp);
        // Try to verify, it should work good even though the small bug in ECA-2104, since we don't use algorithm parameters for RSA-PKCS signatures
        PublicKey pubKey = msg.getRequestPublicKey();
        assertTrue(CmpMessageHelper.verifyCertBasedPKIProtection(msg.getMessage(), pubKey));
        // Verify that our verification routine does not give positive result for any other keys
        KeyPair keys = KeyTools.genKeys("512", "RSA");
        assertFalse(CmpMessageHelper.verifyCertBasedPKIProtection(msg.getMessage(), keys.getPublic()));
      }
      // Re-protect the message, now fixed by ECA-2104
      {
        ASN1InputStream in = new ASN1InputStream(novosecsigpopir);
        DERObject derObject = in.readObject();
        PKIMessage myPKIMessage = PKIMessage.getInstance(derObject);
        KeyPair keys = KeyTools.genKeys("512", "RSA");
        X509Certificate signCert = CertTools.genSelfCert("CN=CMP Sign Test", 3650, null, keys.getPrivate(), keys.getPublic(), "SHA1WithRSA", false);
        // Re-sign the message
        byte[] newmsg = CmpMessageHelper.signPKIMessage(myPKIMessage, signCert, keys.getPrivate(), CMSSignedGenerator.DIGEST_SHA1, "BC");
View Full Code Here
246
247
248
249
250
251
252
253
254
255
256
    public void testBc146RARequest() throws IOException, InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException {
      // Check that we can parse request from BouncyCastle version 1.46.
      // Read an initialization request with RAVerifiedPOP with PBE protection to see that we can process it
      ASN1InputStream in = new ASN1InputStream(bc146rapopir);
      DERObject derObject = in.readObject();
      PKIMessage req = PKIMessage.getInstance(derObject);
      //log.info(req.toString());
      // Verify should be false if we do not allow RA verify POP here, since we don't have any normal POP
      CrmfRequestMessage msg = new CrmfRequestMessage(req, "CN=AdminCA1", false, "CN");
      assertFalse(msg.verify());
View Full Code Here
274
275
276
277
278
279
280
281
282
283
284
    public void testBc146ClientRequest() throws IOException, InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException {
      // Check that we can parse request from BouncyCastle version 1.46.     
      // Read an initialization request with a signature POP, and signature protection, to see that we can process it
      ASN1InputStream in = new ASN1InputStream(bc146sigpopir);
      DERObject derObject = in.readObject();
      PKIMessage req = PKIMessage.getInstance(derObject);
      //log.info(req.toString());
      // Verify should be ok if we do not allow RA verify POP here
      CrmfRequestMessage msg = new CrmfRequestMessage(req, "CN=AdminCA1", false, "CN");
      // BC messages in BC1.46 uses POPOSigningKeyInput for POPO, not the 3rd case in RFC4211 section 4.1, like everyone else...
View Full Code Here
TOP

Related Classes of org.apache.commons.ssl.asn1.DERObject

  • br.net.woodstock.rockframework.security.cert.ext.icpbrasil.ICPBrasilHelper
  • br.net.woodstock.rockframework.security.cert.impl.CRLCertificateValidator
  • br.net.woodstock.rockframework.security.cert.impl.CRLCertificateVerifier
  • br.net.woodstock.rockframework.security.sign.impl.BouncyCastlePKCS7Signer
  • br.net.woodstock.rockframework.security.timestamp.impl.BouncyCastleTimeStampClient
  • br.net.woodstock.rockframework.security.util.BouncyCastleProviderHelper
  • com.itextpdf.text.pdf.LtvVerification
  • com.itextpdf.text.pdf.PdfPKCS7
  • com.itextpdf.text.pdf.PdfPublicKeySecurityHandler
  • com.lowagie.text.pdf.PdfPKCS7
    • Copyright © 2018 www.massapicom. All rights reserved.
    All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.